WEBVTT 0:00:02.720000 --> 0:00:06.680000 As you can see, the FTK image is already started. 0:00:06.680000 --> 0:00:09.760000 I will be using the menus to navigate in this video, however, you can 0:00:09.760000 --> 0:00:12.760000 also use the fancy buttons on the main bar as they both will lead to the 0:00:12.760000 --> 0:00:17.020000 same result. Let's go to the file then choose Image Mounting. 0:00:17.020000 --> 0:00:20.500000 As you can see, the Mount Image to Drive window will appear. 0:00:20.500000 --> 0:00:23.200000 Let's click the button next to the image file field to select our forensic 0:00:23.200000 --> 0:00:25.040000 image that we want to work on. 0:00:25.040000 --> 0:00:29.120000 Let's select the disk we forensically imaged earlier. 0:00:29.120000 --> 0:00:33.860000 Looking closely at the Mount type options available, there are three options. 0:00:33.860000 --> 0:00:36.780000 I will explain each of them by showing you the result obtained when choosing 0:00:36.780000 --> 0:00:38.240000 each one of them. 0:00:38.240000 --> 0:00:43.820000 First, if you use the physical only option, the FTK imager will mount 0:00:43.820000 --> 0:00:46.680000 this forensic image as a physical disk. 0:00:46.680000 --> 0:00:49.400000 You will need to use a windows application that is capable of running 0:00:49.400000 --> 0:00:52.700000 physical name querying to it, as it won't be available to you from the 0:00:52.700000 --> 0:00:54.420000 windows explorer. 0:00:54.420000 --> 0:00:57.740000 When we select the Mount button, you will notice that the drive shows 0:00:57.740000 --> 0:01:01.600000 physical drive 3, which is the name of this drive, and a mounted and a 0:01:01.600000 --> 0:01:04.200000 block device with read-only access. 0:01:04.200000 --> 0:01:08.220000 Let's go ahead and dismount the disk by pressing the Unmount button. 0:01:08.220000 --> 0:01:12.400000 Now, let's change our Mount type option to Logical Only and then press 0:01:12.400000 --> 0:01:17.280000 Mount again. As you can see, all five partitions available in this disk 0:01:17.280000 --> 0:01:21.320000 image have been mounted starting with E, up to the drive letter I, because 0:01:21.320000 --> 0:01:23.500000 they are logical partitions. 0:01:23.500000 --> 0:01:27.800000 They have also been mounted as a block device with read-only access. 0:01:27.800000 --> 0:01:30.320000 Let's select them all and unmount them. 0:01:30.320000 --> 0:01:34.900000 Now this time let's choose the physical and logical Mount type, which 0:01:34.900000 --> 0:01:38.400000 will mount the whole disk as a physical image, and each partition as a 0:01:38.400000 --> 0:01:39.840000 logical partition. 0:01:39.840000 --> 0:01:43.540000 I will also change the drive letter to start with M instead of E, as we 0:01:43.540000 --> 0:01:45.020000 did in the previous step. 0:01:45.020000 --> 0:01:49.080000 As you can see, we have our physical disk mounted and all the five partitions 0:01:49.080000 --> 0:01:52.220000 mounted too, starting from the drive letter M. 0:01:52.220000 --> 0:01:54.840000 Let's select them all and unmount them. 0:01:54.840000 --> 0:01:58.440000 This time let's change the drive letter to M but mount all the logical 0:01:58.440000 --> 0:02:02.640000 images. Let's choose logical only, but with a starting drive letter of 0:02:02.640000 --> 0:02:07.980000 M. Now let's go to my computer and check the drives there. 0:02:07.980000 --> 0:02:11.340000 As you can see, we have all five partitions mounted starting from letter 0:02:11.340000 --> 0:02:15.220000 M, up to Q. Let's open one of the devices. 0:02:15.220000 --> 0:02:17.860000 Let's select M and take a look. 0:02:17.860000 --> 0:02:21.300000 As you can see, we managed to access the content of the drive. 0:02:21.300000 --> 0:02:23.440000 Let's remove all the partitions now. 0:02:23.440000 --> 0:02:27.820000 This time I'm going to show you the benefit of adding a password to your 0:02:27.820000 --> 0:02:31.300000 forensic image. Let's go ahead and browse to the location of our forensic 0:02:31.300000 --> 0:02:35.020000 image that we added a password to during the acquisition process. 0:02:35.020000 --> 0:02:40.800000 Let's open the forensic image of the support USB disk we imaged previously 0:02:40.800000 --> 0:02:43.540000 and added a password to. 0:02:43.540000 --> 0:02:47.920000 As you can see, as soon as FTK Eminger tries to open the forensic image, 0:02:47.920000 --> 0:02:52.120000 the AFF decryption window is displayed asking us for the password. 0:02:52.120000 --> 0:02:55.800000 Let's add the password and then press OK to continue. 0:02:55.800000 --> 0:03:00.440000 Let's leave the mount type as it is and just change the starting drive 0:03:00.440000 --> 0:03:05.220000 letter to M. As you can see, we have the disk mounted as a physical drive 0:03:05.220000 --> 0:03:10.620000 and the only single partition found within the USB as a logical drive. 0:03:10.620000 --> 0:03:14.260000 Let's explore the content of the partition as we did before. 0:03:14.260000 --> 0:03:18.240000 Here, we have the suspect USB disk mounted and attached to the M drive 0:03:18.240000 --> 0:03:22.320000 letter. You can also see that we can see the contents of the USB as if 0:03:22.320000 --> 0:03:24.060000 it was a true partition. 0:03:24.060000 --> 0:03:27.680000 Let's close the window explorer and unmount both the physical and logical 0:03:27.680000 --> 0:03:34.700000 drives added. This concludes the video lesson on mounting a forensic image 0:03:34.700000 --> 0:03:37.340000 using Access Status FTK Eminger. 0:03:37.340000 --> 0:03:41.180000 You should now be able to mount and unmount forensic images using Access 0:03:41.180000 --> 0:03:43.360000 Status FTK Eminger. 0:03:43.360000 --> 0:03:44.220000 Thanks for joining us.