WEBVTT 0:00:09.560000 --> 0:00:12.100000 Well, we talk about examining evidence. 0:00:12.100000 --> 0:00:18.300000 Sometimes one of the things that we like to do is to mount the image and 0:00:18.300000 --> 0:00:23.420000 it allows us to kind of produce the file system sometimes, kind of get 0:00:23.420000 --> 0:00:27.920000 a feel for what's going on and just look through and see how the structure 0:00:27.920000 --> 0:00:30.620000 of the disk is and how things are organized. 0:00:30.620000 --> 0:00:35.260000 This can be really useful for getting acquainted with everything and how 0:00:35.260000 --> 0:00:37.380000 the user used the system. 0:00:37.380000 --> 0:00:40.620000 Just keep in mind that your images should always be mounted in read-only 0:00:40.620000 --> 0:00:44.020000 mode to ensure that no alterations are made to the image. 0:00:44.020000 --> 0:00:47.260000 And this is kind of where the EWS format will help you because no matter 0:00:47.260000 --> 0:00:51.100000 what you do to it, even if it's mounted in Linux or in Windows, it's always 0:00:51.100000 --> 0:00:52.080000 going to be read-only. 0:00:52.080000 --> 0:00:53.720000 You cannot commit any changes. 0:00:53.720000 --> 0:00:58.920000 However, if you were to mount a DD file or a raw file or an IMG file in 0:00:58.920000 --> 0:01:02.960000 Linux or Windows without having that partition marked as read-only, I'm 0:01:02.960000 --> 0:01:09.660000 sorry, without having that image mounting process done as read-only, then 0:01:09.660000 --> 0:01:17.300000 you stand the chance of having that data significantly altered. 0:01:17.300000 --> 0:01:26.520000 And I do want to say one thing about mounting images to look through it. 0:01:26.520000 --> 0:01:31.700000 Make sure you're authorized to do that and make sure that something like 0:01:31.700000 --> 0:01:33.960000 that is covered in the scope of work. 0:01:33.960000 --> 0:01:39.660000 If you're only authorized to say search for keyword terms or search for 0:01:39.660000 --> 0:01:43.760000 certain things or even search only certain folders on a file, make sure 0:01:43.760000 --> 0:01:48.880000 you stay with and respect that scope of work because, again, you don't 0:01:48.880000 --> 0:01:52.280000 want to go outside of your scope and you don't want to invalidate all 0:01:52.280000 --> 0:01:54.740000 the hard work that's been done. 0:01:54.740000 --> 0:01:59.380000 So how to mount images. 0:01:59.380000 --> 0:02:03.160000 The techniques for mounting images, it varies from system to system, but 0:02:03.160000 --> 0:02:07.720000 just know that you can mount images to Linux and you can mount images 0:02:07.720000 --> 0:02:15.000000 to Windows. We have built-in CLI commands for Linux and then within Windows 0:02:15.000000 --> 0:02:20.600000 there's Autopsy and FTK Imager and they have a little function that you 0:02:20.600000 --> 0:02:24.040000 can click usually in the menu items that will mount the image. 0:02:24.040000 --> 0:02:30.060000 Just ensure that you do that and you just make sure that you've saved 0:02:30.060000 --> 0:02:33.460000 all your work before you do that because sometimes when you mount these 0:02:33.460000 --> 0:02:37.700000 images on Windows you can experience some type of catastrophic system 0:02:37.700000 --> 0:02:43.840000 issue. I've seen it before and it happens too often to not worry about. 0:02:43.840000 --> 0:02:48.500000 And then last but not least the EWF mount tool is an open source tool 0:02:48.500000 --> 0:02:51.780000 that works in Linux and it will help you mount these expert witness read 0:02:51.780000 --> 0:02:53.960000 -only files to Linux. 0:02:53.960000 --> 0:02:58.280000 And that is really the best way to go when you're talking about mounting 0:02:58.280000 --> 0:03:01.240000 and viewing file structures. 0:03:01.240000 --> 0:03:01.820000 Thanks for watching!