Announcement

Collapse
No announcement yet.

OFS Mount Encase File Concern

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • OFS Mount Encase File Concern

    Hi,

    I have two concern with encase file mounting, in my case, I am mounting E01 type file with OFSMount.


    I am having two concern.

    1. Does mounted Image drive accessible or shared to other worker ( i can see default it not shared across network, is there any setting ?)
    2. Can we directly extract encase data files to storage folder? ( i.e if do not want to make drive and extract content to storage location is possible ?)

    Thanks

  • #2
    Hi,

    1) If you mount an E01 image to a drive letter, then any Windows software can access the new drive. If you mount it as a (emulated) physical drive, then it should act like a physical drive in pretty much all respects. Of course for E01 it will be read only however (unless you are using cache files)

    2) If you do not want to mount the E01 to a drive letter, but still want to view the files and extract them from the disk image, then you can use OSForensics and not OSFMount.

    Note: Maybe I don't fully understand your questions,

    Comment


    • #3
      Hi David,

      Thanks for Information.

      On future looking at Point#1.
      Even if I mount E01 Image as a Drive letter, it not accessible to other machine on network, i want to make that drive as shared drive so other machine can access it via UNC location.

      Example:

      Machine 1, Mount Drive is 'D:\'
      Machine 2 need to access it using path like "\\Machine1\D$"


      is there any way to do it?

      Thanks

      Comment


      • #4
        Yes, we tested this today and it works fine.
        You can just share it like any normal physical drive.

        Comment


        • #5
          Hi David,

          Today I have followed below step still facing an issue with shared drive mapping,

          1. Download latest version of OFSMount(osfmount_x64_v2.0.1001)
          2. Install in Machine1.
          3. Map E01 file as Drive from Machine1.(find attached snap for mount reference)
          4, Ones it Mapped, i can not access it from Machine 2.

          can you guide us.


          Click image for larger version

Name:	Ofs_Mount.png
Views:	397
Size:	27.1 KB
ID:	45099


          Thanks

          Comment


          • #6
            Two problems.
            1) You are using an old release of OSFMount. Upgrade to the current release which allows mounting E01 images as emulated physical drives
            2) If you want the drive shared, then you actually need to share it in Windows, like any normal physical drive.


            Click image for larger version

Name:	DriveShare.png
Views:	430
Size:	26.4 KB
ID:	45103

            Comment


            • #7
              Hi David,
              Thanks for Update.

              Now i have downloaded new version and trying to Mount Image as Physical Drive, but getting below error.
              I am able to mount Logical Drive Sucessfully.

              Click image for larger version  Name:	Mount_Disk.png Views:	0 Size:	20.4 KB ID:	45122
              Last edited by Viralp; Jul-29-2019, 06:32 AM.

              Comment


              • #8
                Where is the E01 image? (e.g. on a local internal drive, external USB drive?)
                How big is the E01 file?
                Is it a single E01 file or a split image?
                Did you select the option to mount this as a RAM drive? If so, how much RAM do you have?

                Is there any chance you can make the E01 image available, so that we can test it?

                Also since your last post there was an update to OSFMount.
                https://www.osforensics.com/tools/mo...sk-images.html
                Can you try build v3.0.1005

                Comment


                • #9
                  Hi David,

                  by checking the latest version in a fresh machine, I realized that Physical drive option working in Physical.
                  I had an issue with Virtual Machine.

                  So now concern is if i like to access Logic drive in other network machine, i have to share that drive using Advance setting . right ?
                  There is no option to access logical drive without any window Advace sharing setting.

                  Thanks

                  Comment


                  • #10
                    The virtual drive emulates a physical hard drive. So you share it in the same way as any other physical drive (see my previous post).
                    It is probably possible to do the same thing from the command line in Windows. Something like,

                    net share name_of_share=driveletter:\path

                    Comment


                    • #11
                      Thanks, David for all answer(s) with detail Information.

                      Just last suggestion, it will be better if it mounts an image with share access rights to reduce this manual or command line step.
                      The reason is for product like i use, we wanted to start parallel processing in multiple machine(s), so after mount Image, i need to add additional step for sharing and then after sharing done successfully, i can start actual parallel process in other machines (s)

                      Thanks

                      Comment


                      • #12
                        Processing E01 disk images is slow. Mounting an E01 to an emulated physical drive makes it slower. Then sharing the drive across a network add latency and network bottlenecks. Adding a whole new level of performance degradation.Plus by mounting the drive to a Window drive letter you will have file permission issues to deal with. And finally by access the drive across a network a different protocol is used and you can't do things like look at un-partitioned space on the drive. So it is a pretty rubbish option all round.

                        Your probably going to tell that the source E01 is on a SATA or USB drive as well?

                        Best option is to put the E01 image on a local M2 SSD drive and process it directly in OSForensics (without mounting it as a windows drive). Might be 10x to 20x faster doing this compared to your method.
                        If after a 10x speed increase you still need multiple people need to work on the same image, then copy the E01 to each machine.

                        Comment


                        • #13
                          Thanks, David I can understand your concern.

                          Regarding your suggestion,
                          "Best option is to put the E01 image on a local M2 SSD drive and process it directly in OSForensics (without mounting it as a windows drive). Might be 10x to 20x faster doing this compared to your method"


                          In OSForensics, there are so many options available, which option i can use for this suggested point?

                          Comment


                          • #14
                            In OSF you can just add the E01 image without mounting it to a drive letter. This then by passes windows file permissions, hidden files, etc.. as well.
                            Make sure the E01 file is on a fast local drive for the best performance. (USB drives and network drives are slow compared to a local SSD).

                            OSF add image to the case

                            Comment

                            Working...
                            X