Mounting Disk is limited to the number of available drive letters (i.e. maximum 26).Mount Image Pro™ Version 4 - English
__________________________________
Q. What type of images can I mount?
Mount Image Pro supports the following image types:
AccessData (.ad1)
AccessData (.e01)
Advanced Forensic Format (.aff)
Apple Images (.dmg) [New]
EnCase (.e01) - all versions, including compressed and password protected images;
EnCase Logical (.l01)
ISO Images (.iso)
Microsoft Virtual PC (.vhd) [New]
RAW (.dd, .raw)
SafeBack2 (.sfb, .001)
SMART (.s01)
VM Ware (.vmdk)
Q. Is it possible to change the contents of a mounted image?
A. When dealing with forensic computer images always ensure that you have a secure, verified backup copy.
Then content of Forensic Images Files cannot be altered by the Mounting Process.
Note: A mounted image may appear to have changed due to the Windows cache. For example, it is possible to save a file to a mounted drive. However, when the image is re-mounted, all changes stored in the Windows cache will be lost.
When using the Mount Disk option to mount a logical drive (a partition within the image), it is possible to set the "Access Mode" to either:
Read Only:
The partition is mounted as a read only drive where no changes to the mounted drive letter are possible. For example, if a user attempts to deleted a file on a mounted drive letter the Windows operating system will return a message the at the drive is read only;
Windows Simulates Disk Writes:
Windows caches changes made to the mounted drive. For example, if a user deletes a file in the mounted image, the file is deleted from the mounted drive. Note that it is NOT possible to change the content of the image file. When the image is remounted, all files will be re-displayed.
Command Line Usage:
Mounting read only from the command line is achieved with the /A true or false switch;
mip4 mount image.e01 /A:T (mounts the image read only);
mip4 mount image.e01 /A:F (specifies that the image is not read only and that Windows will simulate disk writes.
The default mount when no switch is used is read only, however to overwrite any conflicting Windows settings, if read only is required, it is better to specify it with the command line switch.
Q. Will I be able to see all data inside the mounted image?
A. When using the "Mount Disk" option, access to information inside a mounted image is controlled by Windows. When examining a mounted image you should be logged on to the computer as Administrator. You should also ensure that the necessary folder permissions are set to allow you to see the full contents of each folder. Be aware that the mounted image is being interpreted by Windows. Windows will apply its existing display schema, e.g. hidden files may still be hidden, encrypted files may still be encrypted etc.
When using the "Mount Filesystem" option, display of the data is handled by Mount Image Pro. More data is made accessible, such as deleted files. However, you should still check Windows file attributes, as they are still applied to the mounted image (e.g. hidden files will still be hidden).
Q. How do I show that a mounted image has the same MD5 Hash integrity as the original forensic image file?
A. Use Mount Image Pro to mount the image file. Then preview the mounted drive with EnCase, a Hex editor, or any other tool capable of creating an MD5 hash. Now hash the mounted drive and compare the resulting MD5 has to the original acquisition hash. They should be identical.
Q. My image will not mount, what can I do?
A. Click here for troubleshooting information on mounting an image.
Q. How many images can I mount at one time?
Mounting Disk is limited to the number of available drive letters (i.e. maximum 26).
Multiple Filesystems can be mounted under a single drive letter without limitation.
Q. Can mounted images automatically be remounted when I reboot?
A. Yes. In OPTIONS / GENERAL place a tick in the box for "Auto mount after System Reboot"
Q. When I open a mounted drive is says that is needs to be formatted?
A. No partitions were found on the drive, so Windows thinks it is a drive letter that is yet to be formatted. This does not mean that the image is blank. Try a program like Recover My Files (www.recovermyfiles.com) to scan the mounted drive for data.
Q. Can I mount a non-Windows file system like MAC or LINUX?
A. Yes. It is possible to mount non-Windows file systems, however you will need to pre-install the appropriate file system driver. Click here for more information.
Q. What is the difference between mounting as a drive letter or as a "physical" drive?
A. Mounting as a drive letter gives access to partitions inside the image. Mounting as a physical drive gives access to the entire physical drive. Click here to learn more.
Q. Can I run third party tools over the mounted image?
A. Yes. This is one of the primary reasons for using Mount Image Pro. You can run tool like:
data recovery programs (e.g.. Recover My Files from www.recovermyfiles.com)
virus scanners
spyware programs
steganography programs etc.
Q. Can I boot a mounted image using VMWare?
A. Once mounted with Mount Image Pro, an image file can be booted using a third party product called "Virtual Forensic Computing" (VFC). VFC is available for download, trial and purchase at http://www.virtualforensiccomputing.com.
Can you contribute to this FAQ? Please contact support@getdata.com with your suggestion.