Introduction

One option for processing files from an imaged file system is to mount and process them using a mounting tool. However, there are two drawbacks to this methodology which a user should be aware of:

• Bypassing File / Folder Permissions
• Junction Points redirecting to user's own hard disk

FTK Imager is a free tool from AccessData® which has an option to mount an image. It can also bypasses file / folder permissions and does not have the junction point issue many other mounting tools have.

FTK Imager

FTK Imager is a data preview and imaging tool that lets you quickly assess electronic evidence. It can also create copies (forensic images) of computer data without making changes to the original evidence. Version 3 of FTK imager incudes an imaging mounting option allowing forensic images to be mounted as a drive or physical device, for read-only viewing. This action opens the image as a drive and allows you to browse the content in Windows and other applications.

Mounting an Image

Run FTK Imager and select File » Image Mounting. Make sure that one of the options you select includes Logical. You must ensure that the mount method is "File System / Read Only". If you do not select this option, you will have permission and junction point issues when processing the file and folders.

Click the Mount button to mount the image. In this case, we have select to mount each of the logical volumes found in the image as drive letters.

Importing from a Mounted Volume

Once the volume has been mounted, launch NetAnalysis®, create a new case and can select which folder to start searching/importing from (File » Import » Data From Folder). In this case, we have selected the root folder. This will search through every folder/file on the partition for supported file types and then import any that are identified.