This article is a general explanation of why and how forensic experts and first responders could benefit from a tool that provides image data retrieval. The product under review is a first-line tool for data retrieval and image mounting, as you cannot retrieve the data without mounting the images first. Also being able to read this data under any OS, regardless of the original file system format, is of extra value.

A forensic image is a complete copy of a hard drive or other digital media intended for use as evidence. A forensic image usually includes files, unallocated space, slack space, and boot record. Forensic data, such as deleted files, file fragments or any hidden data may be found in slack or unallocated space. If sanitization software is used to completely wipe off any traces of information on a drive, then it is very unlikely that forensic examiners will succeed in retrieving any data.

Another difficulty in retrieving information is that, if you connect the digital media under investigation to a regular operating system (OS), it will be damaged irreversibly. The standard OS configuration activates the device immediately after detection, mounts the file systems and changes its contents without even notifying the user. Windows, for example, may automatically change timestamps in file attributes, create hidden folders in the Recycle Bin, or save configuration data. Therefore, the right technologies for creating forensic images and their subsequent in-depth analyses have to be chosen carefully.

Whether mounting images from hard disk drives or SSDs, they must be imaged in exactly the same way with no difficulty. An image created from an SSD drive will still represent a snapshot of all data at the time of imaging.

Things Image Mounter by Paragon Software Does

Essentially, Image Mounter allows storing, mounting, and verifying integrity of images in various formats.

Current version of Image Mounter by Paragon Software allows you to mount images with the above types as standard block devices (disks) under OS Windows using the "Block Mounter" driver and the Image MGM library that processes image files and provides Read/Write functions for accessing data stored on images. This occurs by means of creating a virtual disk/disk device in a system with full control of the read and write modes. Therefore, the mounted disks are perfectly recognized by standard Windows components and Paragon Software products: APFS for Windows, Linux File Systems for Windows, and HFS+ for Windows.

However, to solve forensic problems, this may not be enough due to the loss of additional information about the file system at the stage of mapping the standard operating system access requests to files and their attributes to the internal functions of the engine for working with UFS file systems. Another most common option where data (evidence) may be hidden or lost are unused places on the disk. These places may be used on mounted block devices by Image Mounter.

To provide complete information about the file system without loss of data on mapping, Paragon Software Group has implemented the following architecture:

Image MGM component provides software Read/Write access to the contents of image files and additional information about images. This module is also responsible for recognizing the forensic metadata and their mapping and checking the integrity of the image. It is successfully used not only in Image Mounter by Paragon Software, but also in Hard Disk Manager (another software tool) when creating backups.

The FDisk library is designed to analyze disk layout and provide information about it and Read/Write access to individual partitions of the disk. This component supports parsing MBR, GPT and standard LVM, including being located on several physical disks. This library has been successfully used in Linux File Systems for Windows by Paragon Software, APFS for Windows by Paragon Software, ReFS for Windows by Paragon Software and Storage SDK products.

UFS is the main component for recognizing file systems, parsing their structure and providing them with data and metadata. This library has a single interface for all supported file systems (APFS, HFS +, EXT2, EXT3, EXT4, BtrFS, XFS, ReFS, NTFS, FAT and others). This interface also provides access to unique features of file systems, for example, the ability to mount the required APFS checkpoint and subvolume, and pass password/passwords when mounting encrypted volumes. This way, you can access user data and internal data of any supported and recognized file system.

GUI and CLI provide the end user with a graphical and console interface for accessing the file system under examination. For example, after mounting a volume in UFS, you can access the serial number of the volume, data about free and occupied clusters, and their sizes. For file system objects such as files and directories, you can access the data and metadata of files.

Mounted and verified forensic images can be used as evidence for investigations. The key feature of Image Mounter is its ability to mount virtual images as if you were really connected to the user's computer. It allows you to get full access to the contents of the disk and connect other non-forensic tools to any other application or the system. This is especially critical when the image contains file systems or other technologies unrecognized by the operating system. For example, Image Mounter could be used in tandem with APFS for Windows and enable full access to APFS volumes on Windows.

File System Link Technology For Cross-Platform Compatibility

Forensic tools are normally developed for working in a particular operating system, like Macintosh Evidence Gathering and Analysis (MEGA) for Mac OSX or Forensic Automated Correlation Engine (FACE) for image analysis of Linux partition.

There is another approach, however. What if volumes or files under investigation are formatted with Apple or Linux operating systems? Integration of Image Mounter with proprietary file system drivers enables smooth high-performance operation with Linux and APFS-formatted drives under Windows OS.

Tandem of File System link drivers and Image Mounter allows forensic experts working on PC to instantly access and write to APFS-, extFS- or even ReFS- formatted hard disk drives, solid-state drives or flash drives directly on Windows PCs. Thus, eliminating the need for separate tools for every OS.

Image Mounter is a tool that enables digital forensic specialists to easily mount disk images and access the acquired images. The tool for mounting forensic images can be used as a standalone software or as a component integrated into more complex data analysis solutions.

Konstantin Chistyakov is the lead software engineer at Paragon Software Group. He graduated in 2009 with honors from Moscow Institute of Electronics and Mathematics and is the author of the study "Oscillating systems of magnetrons of mm wavelength range" (ISBN 978-3-659-74641-3). He currently leads a project on Github OpenTomb.

Andrei Loktev has been a software engineer at Paragon Software since 2013. He graduated from the Moscow Aviation Institute in 2012 with a degree in Management and Informatics in Technical Systems.