Forensic Image Handling

The eCapture installation includes a File Mounting Service (FMS) to support forensic file image handling in Enterprise. When a forensic disk image is encountered inside a discovered data set, the image is automatically mounted to allow for discovery and data extraction. Forensic image files may also be mounted and discovered directly from the eCapture Controller automatically.

Two third-party applications may be used for mounting forensic image types: OSFMount and Mount Image Pro. The FMS uses OSFMount by default. Mount Image Pro may also be used, but requires purchasing a license separately, as IPRO does not provide one. Only one third-party application may be used at a time.

OSFMount

OSFMount supports the mounting of the following Windows image file formats:

  • Raw Image (.IMG, .DD)

  • Raw CD Image (.ISO, .BIN)

  • Split Raw Image (.00n)

  • Nero Burning ROM Image (.NRG)

  • System Deployment Image (.SDI)

  • Advanced Forensics Format Images* (AFF)

  • Advanced Forensics Format Images w/ meta data* (AFM)

  • Advanced Forensics Format Directories* (AFD)

  • VMWare Image (.VMDK)

  • EnCase EWF (.E01)

  • SMART EWF (.SO!)

  • VHD image (.VHD)

Switching to OSFMount from Mount Image Pro

If you are already on Mount Image Pro and would like to switch to OSFMount instead, it is necessary to manually update a property table in SQL.

  • From SQL, access the Enterprise.ApplicationEnvironmentProperty table in the Enterprise database and update the PropertyValue to 2 in the row where ApplicationEnvironmentPropertyNameId is 4. The PropertyValue initially displays the Mount Image Pro default value of 1 (as shown in the following figure):

Note: Now the system is using OSFMount. To switch back to Mount Image Pro, PropertyValue must be changed from 2 back to 1.

Mount Image Pro

To use Mount Image Pro, a license must be purchased separately, as IPRO does not provide one. Mount Image Pro supports the following forensic file image types:

Forensic Category

 

Description

 

Extension

 

Detection Method

 

Access Data

Access Data

.AD1

Bytes

Apple

Apple Disk Image

.DMG

Bytes

Encase

Encase File

.E01

Bytes

Encase

Encase File

.EX01

Extension

Encase

Encase Logical File

.L01

Bytes

Encase

Encase Logical File

.LX01

Extension

Encase

SMART

.S01

Bytes

Forensic File Format

Advanced Forensic File

.AFF

Bytes

Raw CD Image

ISO Optical Image

.ISO

Bytes

Raw CD Image

Nero Burning ROM

.NRG

Extension

SafeBack

System Deployment Image

.SDI

Extension

 

 

Related Topics

Introduction to eCapture