Lately, I've been doing some work that's required me to mount images as read-only file systems. Some of the images have been dd-format images of drives, some have been EWF/EnCase .E0x files. Instead of using WinVDK or Mount Image Pro, however, I've been using SmartMount from ASRData. I can mount the drive image, regardless of the format, and test tools such as RegRipper/rip.exe to see how they behave (and they behave very well!)
Ever since I started using SmartMount (in beta, now in eval mode), I've used it primarily to mount images as read-only file systems on Windows...nothing spectacular, just mount the image, do some testing, and unmount the images. My first impression was that it was smoother and quicker than Mount Image Pro. Reviewing the web page for SmartMount, I see that Andy's got a number of features that are to be standard for both the Windows and Linux versions of SmartMount. When SmartMount goes final, we can expect to see a more-fully featured toolset than what's available out there now.
One thing I would like to see is a freeware version for Windows with a limited feature set...say, mount .vmdk, .E0x, and dd-format images as read-only drive letters on your system. None of the fancy stuff, like the layering of write protection and overlay files, etc. Free, or lower cost, so that its easily available to a wide range of folks. The reason for this, in part, is so that the usefulness of this capability can be fully recognized.
I think that Ken Kato's VDK may fit the bill, except for EOx images. Free at http://chitchat.at.infoseek.co.jp/vmware/vdk.html. There's also a VDK driver that someone ported to 64. Last I cheked, Andy was working toward that capability. MIP works fine on 32/64/XP/Vista. You also can use VMware's development kit to mount vmdk and vmdks created from dd and EOx images. http://www.vmware.com/download/sdk/virtualdisk.html.
ReplyDeleteThe key here is that this is evaluation software and it is clear that it will eventually be sold. That is great if you love having dedicated support. However, there are open solutions out there. VDK is one great option. A second would using a Linux system as a VMware appliance to mount images (E01, AFF, raw) using libewf, ntfs-3g, and the AFF format. To examine the mounted image, you easily share it out on the network via CIFS (SMB) would be a simple, yet effective solution.
ReplyDeletelibewf: https://www.uitwisselplatform.nl/projects/libewf/
aff: http://www.afflib.org/
ntfs-3g: http://www.ntfs-3g.org/
VDK is a great freeware choice, which is why I blogged on it and linked to it. I've used it a number of times, and so far, aside from SmartMount, it's the only free, Windows-based solution out there.
ReplyDeleteRob's idea of using Linux is a great one, too, and is what he does with SIFT.
Right, Rob? ;-)