Mount Image Pro™ Version 4 - English
__________________________________
The 
option is used to Mount an image file and display the physical disk and / or partitions as if the physical drive were connected to the local computer. It is an effective and straight forward way of viewing the contents of a forensic image in Windows Explorer or with other tools.
Compatible Image Files / Devices
It is possible to use the "Mount Disk" option only with images of physical drives or partitions. The "Mount Disk" option cannot be used for logical image files (.ad1 or .l01) or physical devices, as summarized in the following table:
|
Image Files and Devices |
|
|
|
Image of Physical Drive |
Yes |
Yes |
|
Image of Logical Drive |
Yes |
Yes |
|
Logical Image File (.ad1, .l01) |
No |
Yes |
|
Physical device (e.g. connected HDD) |
No |
Yes |
Reasons to use "Mount Disk"
The choice between "Mount Disk" and "Mount Filesystem" depends on the objectives of the user. For example, whilst the "Mount Disk" provides straight forward access to image file data it does not give access to deleted files. Similarly, the Mount Filesystem option gives access to deleted files, it does not allow access to the entire physical drive.
The attributes of both methods are summarized in the following table:
|
|
|
|
|
Display deleted files |
No |
Yes |
|
Display unallocated clusters as a file |
No |
Yes |
|
Display Windows system files (MFT, FAT, VBR etc) |
No |
Yes |
|
Existing Windows security settings apply |
Yes |
No |
|
26 image file limit (available drive letters) |
Yes |
No |
|
Access entire physical drive with 3rd party tools |
Yes |
No |
| + Compare the results in Windows Explorer of the same image mounted using "Mount Disk" and "Mount Filesystem". |
Note that it is possible to separately mount the same image file using Mount Disk and Mount Filesystem at the same time.
Recommendations when using "Mount Disk"
When mounting a disk using Windows, existing Windows security permissions inside the image file are applied in the mount. Care must be taken to ensure access to all required data. We suggest:
Always use the Administrator logon to examine a mounted image to ensure that you have maximum file privileges;
Be aware that Windows will apply its exiting security schema to the mounted image. You may need to use your Administrator privileges take control of security permissions;\
Be aware of other Windows utilities such as Symbolic Links which may effect the way data is displayed.
"Mount Disk" using the GUI
Run Mount Image Pro Version 4:
Select the FILE / MOUNT in the top menu of the main program screen, or click the 
button. Note that it is not possible to mount all image types using the "Mount Disk" option (if a logical image file .ad1, .l01 or a physical drive is selected, Mount Disk button will be greyed out);
In the device selection window, click 
to add and select the required image file.
Once the required image is selected, press the button to display the following screen:.
Drive letter:
Drive letter is used to assign a drive letter to the mounted image. "First Available" gives the next available drive letter to the image, for example if drive C:, D: and E: already exist, the image file with be given the next available drive letter F:
Or, a specific drive letter can be selected from the drop down menu.
Mount As
There are three options when using Mount Disk:
1. Mount as "Physical only"
Mounting as "Physical only" mounts all sectors of an image file and makes it available to your PC as a "physical disk", just as if the physical hard drive itself was plugged into your PC.
Only the physical drive is mounted, NOT any valid partitions inside the image.
When is this option used?: This option is usually used when you need to give Physical Drive access to software, such as Recover My Files (www.recovermyfiles.com), but you do not want to add partitions inside the mounted image to your Windows file system.
2. Mount as "Physical and Logical" (Default)
"Mount as Physical and Logical" mounts the physical drive and then mounts any valid partitions inside the image as drive letters. A single "Physical Drive" may contain multiple partitions, e.g. partitions C:, D:, E: and F:.
To allocate the first available drive letter to partitions inside an image, make the "Start drive letter" equal to "First", or you can specify the first drive letter to be used.
When is this option used?: This is the default mounting option where you are provided both access to the physical drive and to all partitions inside the image as a drive letter.
3. Mount as "Physical and Physical as drive letter"
The Mount as "Physical and Physical as drive letter" first mounts the physical drive, and then mounts the physical drive a second time and allocates it a drive letter.
When is this option used?: This options is usually used when you need to give Physical Drive access to software, but the software in use is not capable of directly accessing a physical drive and can work only with drive letters. For example, you may wish to run an MD5 hash on a mounted image using EnCase.
Access Mode
When using the Mount Disk option to mount a logical drive (a partition within the image), it is possible to set the "Access Mode" to either:
Read Only:
The partition is mounted as a read only drive where no changes to the mounted drive letter are possible. For example, if a user attempts to deleted a file on a mounted drive letter the Windows operating system will return a message the at the drive is read only;
Windows Simulates Disk Writes:
Windows caches changes made to the mounted drive. For example, if a user deletes a file in the mounted image, the file is deleted from the mounted drive. Note that it is NOT possible to change the content of the image file. When the image is remounted, all files will be re-displayed.
Command Line Usage:
Mounting read only from the command line is achieved with the /A true or false switch;
mip4 mount image.e01 /A:T (mounts the image read only);
mip4 mount image.e01 /A:F (specifies that the image is not read only and that Windows will simulate disk writes.
The default mount when no switch is used is read only, however to overwrite any conflicting Windows settings, if read only is required, it is better to specify it with the command line switch.
