Mount Image Pro™ Version 4 - English
__________________________________
In Windows Vista Microsoft introduced the ability to create "symbolic links". Whilst not commonly used, symbolic links can have important implications when mounting forensic evidence files.
What are symbolic links?
A symbolic is a text string that is interpreted and followed by the operating system as a path to another file or directory. For instance, if you wanted to make the folder C:\Users\Graham\Documents available from F:\TestFolder as well, you could use the following command:
C:\mklink /D F:\TestFolder C:\Users\Graham\Documents
symbolic link created for F:\TestFolder <<===>> C:\Users\Graham\Documents
How is a symbolic link created?
The command to create a symbolic link is mklink, which you’ll use from the command line. Just type it on the command line to see the options. Note, the CMD line must be run as administrator. In Windows 7, right click on cmd.exe and select "run as administrator" :
Why are implications for symbolic links when mounting forensic image files?
Consider and investigation in which a forensic image of a suspects computer hard drive is taken on which symbolic links are used. The image is mounted with Mount Image Pro on the forensic analysis machine as drive F:\. A symbolic link for the suspects folder F:\Important-Files symbolically links with C:\Users\Guest\. If the C:\Users\Guest\ folder exists on the forensic machine, the contents will appear within the mounted F:\ drive among the suspects other files.
How can such implications be avoided?
Mount Image Pro v4 has the need option to "Mount Filesystem" using the Mount Image Pro v4 Filesystem driver. This driver does not use window to display files and any symbolic links or other Windows permissions are ignored.