WEBVTT 0:00:03.360000 --> 0:00:07.420000 First, let's mount the forensic image using Arsenal Image Mounter by starting 0:00:07.420000 --> 0:00:09.140000 the application. 0:00:09.140000 --> 0:00:13.680000 Now, let's go to the Mount Image button below. 0:00:13.680000 --> 0:00:18.240000 This leads us to the Open Image dialog box, so let's choose the image 0:00:18.240000 --> 0:00:20.120000 we want to open. 0:00:20.120000 --> 0:00:22.540000 Now we have the Mount Options window. 0:00:22.540000 --> 0:00:26.320000 We want to mount this image as a read -only, so let's leave this as is, 0:00:26.320000 --> 0:00:32.160000 as well as sector size of 512. 0:00:32.160000 --> 0:00:35.460000 Now, let's press OK to proceed. 0:00:35.460000 --> 0:00:38.560000 Our forensic image is now mounted and the Windows Explorer immediately 0:00:38.560000 --> 0:00:40.100000 opens it for us. 0:00:40.100000 --> 0:00:43.540000 We can now start browsing the content of the drive, as if it was a partition 0:00:43.540000 --> 0:00:45.500000 attached to our machine. 0:00:45.500000 --> 0:00:48.940000 But the good part is, that it is read -only, so none of our actions will 0:00:48.940000 --> 0:00:50.120000 affect this work. 0:00:50.120000 --> 0:00:54.120000 If we try to make any changes to the content of the disk, we won't be 0:00:54.120000 --> 0:00:58.660000 able to. Checking the manual PDF file, we will find there is no delete 0:00:58.660000 --> 0:01:01.640000 or rename options in the menu shown. 0:01:01.640000 --> 0:01:04.380000 Also, let's try to copy and paste. 0:01:04.380000 --> 0:01:07.820000 As you see, we didn't succeed because the forensic image, disk, is mounted 0:01:07.820000 --> 0:01:11.460000 as read-only. The error shows that the disk has some right protection 0:01:11.460000 --> 0:01:14.180000 on it. Let's cancel that. 0:01:14.180000 --> 0:01:17.780000 Now, let's check the contents of the directories. 0:01:17.780000 --> 0:01:20.140000 Let's go to directory 1. 0:01:20.140000 --> 0:01:22.360000 Here we see that there are some text files. 0:01:22.360000 --> 0:01:25.980000 Let's open one of them and explore the options available to us. 0:01:25.980000 --> 0:01:29.380000 If we try to add anything to the file and press control plus S to save 0:01:29.380000 --> 0:01:32.220000 the written data, we get an error message saying that the disk cannot 0:01:32.220000 --> 0:01:35.120000 be written to because it is right protected. 0:01:35.120000 --> 0:01:38.320000 It also says that if we want to write to the disk, we have to remove the 0:01:38.320000 --> 0:01:41.020000 right protection, which we don't want to do. 0:01:41.020000 --> 0:01:45.060000 Now, if we press continue and ignore the message, we get another error 0:01:45.060000 --> 0:01:49.720000 message. If we press OK, it takes us to a dialog window that enables us 0:01:49.720000 --> 0:01:51.880000 to save our changes to somewhere else. 0:01:51.880000 --> 0:01:55.080000 Let's ignore everything and move on. 0:01:55.080000 --> 0:01:57.700000 Now let's remove the forensic image. 0:01:57.700000 --> 0:02:00.900000 Let's go back to the main window of the Arsenal Image Mounter. 0:02:00.900000 --> 0:02:04.560000 Select the mounted image and then either press the remove selected button 0:02:04.560000 --> 0:02:06.880000 or the remove all button. 0:02:06.880000 --> 0:02:10.360000 Let's select the remove all to remove the mounted image. 0:02:10.360000 --> 0:02:12.700000 That's all with Arsenal Image Mounter. 0:02:12.700000 --> 0:02:15.800000 Let's now move on to another useful image mounting tool. 0:02:15.800000 --> 0:02:18.900000 This time, we'll use the OSF mount tool. 0:02:18.900000 --> 0:02:20.160000 So let's start it. 0:02:20.160000 --> 0:02:24.700000 As you can see, it also has a very simple interface with a few buttons. 0:02:24.700000 --> 0:02:27.720000 You can check the menus to see what capabilities are found. 0:02:27.720000 --> 0:02:32.240000 Now, let's press the mount new button on the main window. 0:02:32.240000 --> 0:02:35.340000 This will lead to the OSF mount drive window. 0:02:35.340000 --> 0:02:38.620000 To mount our evidence, let's press this button at the end of the image 0:02:38.620000 --> 0:02:41.840000 file field so we can select the image of our interest. 0:02:41.840000 --> 0:02:45.300000 As you can see, we have a dialog box that will help us locate and select 0:02:45.300000 --> 0:02:46.420000 our forensic image. 0:02:46.420000 --> 0:02:50.860000 Let's open the disk image we created earlier and press the open button. 0:02:50.860000 --> 0:02:54.780000 After selecting the forensic image of choice, OSF mount displays all the 0:02:54.780000 --> 0:02:58.340000 available partitions, their size and what type they are. 0:02:58.340000 --> 0:03:02.460000 Also, the first selected option is to use the entire image file. 0:03:02.460000 --> 0:03:05.820000 We can choose to either mount a single partition or go ahead and choose 0:03:05.820000 --> 0:03:07.580000 the entire image file. 0:03:07.580000 --> 0:03:11.300000 Let's select the entire image file and click OK to proceed. 0:03:11.300000 --> 0:03:15.500000 If we check the volume option section, we see that there is a radio button 0:03:15.500000 --> 0:03:18.640000 for either mounting a specified partition or mounting all the available 0:03:18.640000 --> 0:03:22.720000 partitions. Let's click on the text select, which is highlighted in blue 0:03:22.720000 --> 0:03:24.740000 as if it is a URL. 0:03:24.740000 --> 0:03:28.200000 This will take us back to the previous menu for selecting an image or 0:03:28.200000 --> 0:03:29.740000 specific partition. 0:03:29.740000 --> 0:03:33.600000 Let's close this menu and go back to the previous window. 0:03:33.600000 --> 0:03:36.380000 Here, let's choose the mount all partitions option. 0:03:36.380000 --> 0:03:40.380000 And then, if you notice in the mount option section, I'm going to select 0:03:40.380000 --> 0:03:43.340000 the drive letter to start mounting the partitions. 0:03:43.340000 --> 0:03:46.620000 To ensure that we don't have any other drive mounted up to this letter, 0:03:46.620000 --> 0:03:48.480000 let's select the drive letter M. 0:03:48.480000 --> 0:03:52.340000 Also, what this means is that your first partition in the forensic image 0:03:52.340000 --> 0:03:55.680000 will be mounted and accessible through the drive M, and the next will 0:03:55.680000 --> 0:04:01.800000 be N and so on. Let's leave the drive type as HDD, and then the read only 0:04:01.800000 --> 0:04:05.680000 drive option selected because this is actually what we want. 0:04:05.680000 --> 0:04:08.920000 Remember, we don't want to ruin our evidence. 0:04:08.920000 --> 0:04:12.440000 We will not be selecting the mount as removable media here. 0:04:12.440000 --> 0:04:15.360000 We'll proceed by clicking the OK button. 0:04:15.360000 --> 0:04:21.180000 Now, we have all five partitions mounted starting from M to Q. 0:04:21.180000 --> 0:04:25.020000 To open a partition's content in Windows Explorer, simply double-click 0:04:25.020000 --> 0:04:27.960000 any of the drives in the OSF mount application. 0:04:27.960000 --> 0:04:31.780000 Again, this will allow us to explore the content of the image as if we 0:04:31.780000 --> 0:04:35.020000 were just browsing through the contents of the drive, but with write protection 0:04:35.020000 --> 0:04:37.960000 to it, so changes can't be done. 0:04:37.960000 --> 0:04:41.100000 This is what we want to preserve the evidence. 0:04:41.100000 --> 0:04:45.000000 Let's do a quick test to make sure that there won't be any write options. 0:04:45.000000 --> 0:04:48.640000 Let's open this partition and try to copy the manual PDF file to the directory 0:04:48.640000 --> 0:04:50.820000 named directory 2. 0:04:50.820000 --> 0:04:53.760000 As you can see, we got an error message saying that the disk is write 0:04:53.760000 --> 0:04:57.260000 protected, and this operation will not be done. 0:04:57.260000 --> 0:05:00.620000 It's the same message we received when we tested the Arsenal image mount 0:05:00.620000 --> 0:05:02.320000 for application. 0:05:02.320000 --> 0:05:06.300000 Let's do another test, this time by going to the directory directory 1 0:05:06.300000 --> 0:05:09.900000 and then opening one of the text files and modifying it. 0:05:09.900000 --> 0:05:16.620000 We get the same error message again that this disk is write protected. 0:05:16.620000 --> 0:05:19.800000 We can either choose to save your changes to somewhere else or cancel 0:05:19.800000 --> 0:05:21.300000 the changes done. 0:05:21.300000 --> 0:05:31.580000 Let's do that. If we go to my computer to check the mounted partitions, 0:05:31.580000 --> 0:05:36.100000 we see the first partition is mounted as M, the second is N, and so on, 0:05:36.100000 --> 0:05:38.400000 up to the fifth which is Q. 0:05:38.400000 --> 0:05:42.280000 Now, if we want to unmount any of the partitions that are currently mounted, 0:05:42.280000 --> 0:05:45.160000 all we need to do is select the partition we no longer want to work with 0:05:45.160000 --> 0:05:47.880000 and press the dismount button. 0:05:47.880000 --> 0:05:52.340000 Let's go ahead and unmount all of them, but without closing the application. 0:05:52.340000 --> 0:05:55.560000 Let's select each one of them and press the dismount button. 0:05:55.560000 --> 0:06:04.040000 Now, we no longer have any partitions mounted. 0:06:04.040000 --> 0:06:07.140000 Let's go ahead and press the mount new button to mount a new forensic 0:06:07.140000 --> 0:06:11.720000 image. This time, let's select a single partition that we forensically 0:06:11.720000 --> 0:06:16.020000 imaged. After selecting the image for the partition of interest, and if 0:06:16.020000 --> 0:06:19.580000 we check the volume options, we can see that the Mount All Partitions 0:06:19.580000 --> 0:06:21.440000 radio button is disabled. 0:06:21.440000 --> 0:06:25.020000 This is because the OSF mount managed to identify that this is a partition 0:06:25.020000 --> 0:06:28.340000 we are mounting and not a full disk. 0:06:28.340000 --> 0:06:31.520000 Let's change the drive letter to something other than E and then click 0:06:31.520000 --> 0:06:36.800000 OK. Like before, we see an entry for the partition we just mounted in 0:06:36.800000 --> 0:06:38.620000 the main window of the application. 0:06:38.620000 --> 0:06:42.160000 Double-clicking on the entry will open the windows explorer so we can 0:06:42.160000 --> 0:06:44.320000 browse the content of the partition. 0:06:44.320000 --> 0:06:48.640000 If we go to my computer, we see the partition mounted and attached to 0:06:48.640000 --> 0:06:50.260000 the drive letter L. 0:06:50.260000 --> 0:06:52.660000 Let's go ahead and mount another forensic image. 0:06:52.660000 --> 0:06:56.500000 This time, let's mount the forensic image of the USB we created. 0:06:56.500000 --> 0:06:59.000000 Let's select the AFD file this time. 0:06:59.000000 --> 0:07:03.700000 Remember, this type of image is the Advanced Forensic Format, or AFF for 0:07:03.700000 --> 0:07:07.940000 short. Here we have the option to either select the entire image or the 0:07:07.940000 --> 0:07:10.680000 only available partition to be mounted. 0:07:10.680000 --> 0:07:13.820000 Let's select the partition and click OK. 0:07:13.820000 --> 0:07:16.440000 Let's change the drive letter here too. 0:07:16.440000 --> 0:07:19.760000 As I mentioned before, this is just to make sure that we don't mount and 0:07:19.760000 --> 0:07:22.960000 attach a partition to an already used drive letter. 0:07:22.960000 --> 0:07:25.660000 There are a few things I want you to notice here. 0:07:25.660000 --> 0:07:28.380000 One is the image file offset. 0:07:28.380000 --> 0:07:31.740000 This is where this selected partition starts in the image file. 0:07:31.740000 --> 0:07:37.520000 Also, the drive size shows how much in bytes, blocks, kilobytes, megabytes, 0:07:37.520000 --> 0:07:39.720000 or gigabytes this partition is. 0:07:39.720000 --> 0:07:43.600000 We're not going to change the drive type here, but as you can see, the 0:07:43.600000 --> 0:07:47.740000 other options are for a floppy and a CD or DVD drive. 0:07:47.740000 --> 0:07:51.240000 Before we click OK to mount the forensic image, here it says Advanced 0:07:51.240000 --> 0:07:55.660000 Forensic Format Split, AFD Image, which proves that this is a forensic 0:07:55.660000 --> 0:07:57.660000 image of the AFF type. 0:07:57.660000 --> 0:08:01.080000 Let's go ahead and click OK. 0:08:01.080000 --> 0:08:04.340000 After mounting the image, let's go ahead and check it out. 0:08:04.340000 --> 0:08:06.980000 Let's try to modify a file again. 0:08:06.980000 --> 0:08:17.280000 As you can see, we are not able to do that to the next file we found, 0:08:17.280000 --> 0:08:19.220000 and it's the same reason as before. 0:08:19.220000 --> 0:08:25.960000 The disk is right protected. 0:08:25.960000 --> 0:08:29.900000 Also, if you notice there is no way we can add a new folder to the disk, 0:08:29.900000 --> 0:08:32.120000 the Creation button for that is disabled. 0:08:32.120000 --> 0:08:38.020000 Let's close the Windows Explorer and dismount this disk. 0:08:38.020000 --> 0:08:43.720000 As we saw previously, we can either select a disk or a partition and then 0:08:43.720000 --> 0:08:47.940000 select dismount, or like I'm going to do now, press the dismount all and 0:08:47.940000 --> 0:08:52.400000 exit button. The notification window will let us know that the image will 0:08:52.400000 --> 0:08:56.600000 be dismounted, and if there is any unsafe data, we will lose it. 0:08:56.600000 --> 0:09:00.700000 Since we didn't make any changes, nor are we able to do that, let's continue 0:09:00.700000 --> 0:09:03.580000 by clicking Yes. 0:09:03.580000 --> 0:09:08.580000 This concludes the video lesson on mounting a forensic image using Darcinal 0:09:08.580000 --> 0:09:11.140000 Image Mounter and OSF Mount. 0:09:11.140000 --> 0:09:14.480000 You should now be able to mount a forensic image using both Arsenal Mount 0:09:14.480000 --> 0:09:16.760000 Imature and OSF Mount. 0:09:16.760000 --> 0:09:18.540000 Thanks for joining us.