Jump to content











Photo
- - - - -

ImgMount

raw image mount

  • Please log in to reply
30 replies to this topic

#1 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1914 posts
  • Location:Nantes - France
  •  
    France

Posted 07 October 2013 - 07:04 PM

Posted Image

File Name: ImgMount
File Submitter: erwan.l
File Submitted: 07 Oct 2013
File Updated: 08 May 2014
File Category: Tools

Hi Gents,

ImgMount is a graphical front end to the Arsenal Driver : An open source virtual SCSI miniport driver.

See here more about this driver.

Credits for this driver goes to Olof.

ImgMount can create a physical disk from a file or from memory or from a sharedmemory proxy.

Regards,
Erwan

Click here to download this file
  • wimb likes this

#2 wimb

wimb

    Gold Member

  • Developer
  • 2281 posts
  •  
    Netherlands

Posted 08 October 2013 - 07:12 AM

Congratulations with ImgMount 1.0 GUI for Arsenal driver and  thanks to Erwan and Olof :cheers:

 

The usual tests are OK. :)

 

Some improvements for ImgMount are possible:

- For Driver Install then in FileSelector limit the filetypes to *.inf

- For Add File Disk then in FileSelector limit the filetypes to supported types e.g. *.vhd  *.img and some more

- For New Add File Disk then create with MBR BootCode and Random DiskSignature and use VhdTool.exe to append sector and convert to VHD

- Add Microsoft VhdTool.exe  (free to install, use, copy and distribute) - http://archive.msdn....oft.com/vhdtool

 

Arsenal_9.png

 

:cheers:



#3 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13440 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 08 October 2013 - 10:38 AM

- Add Microsoft VhdTool.exe  (free to install, use, copy and distribute) - http://archive.msdn....oft.com/vhdtool

 

You must be joking :w00t:, erwan.l already has the code he used in Clonedisk for that. :whistling:

 

Are you trying to involve erwan.l in the same form of "featuritis" that affects you? :dubbio: :ph34r:

 

 

:cheers:

Wonko



#4 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1914 posts
  • Location:Nantes - France
  •  
    France

Posted 08 October 2013 - 11:56 AM

Today, the arsenal driver can use monotithic VHD file.

One can also devio+sharedmemory proxy to use a wider set of VHD files (dynamic for instance).

 

However, for complete support, best would be to use the native MS virtual disk API's (starting with windows 7).

Only downside is that there is no native support from MS on XP.

 

Just added that on my todo list for next version(s) : will be more or less a copy paste from my CloneDisk tool :)

Good thing is that it will also bring ISO support then (only on win 8.x thus).

 

/Erwan



#5 wimb

wimb

    Gold Member

  • Developer
  • 2281 posts
  •  
    Netherlands

Posted 08 October 2013 - 12:08 PM

 

Just added that on my todo list for next version(s) : will be more or less a copy paste from my CloneDisk tool :)

Good thing is that it will also bring ISO support then (only on win 8.x thus).

 

 

OK :)



#6 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1914 posts
  • Location:Nantes - France
  •  
    France

Posted 09 October 2013 - 09:11 AM

version 1.1
 
-For Driver Install then in FileSelector limit the filetypes to *.inf
-For Add File Disk then in FileSelector limit the filetypes to supported types e.g. *.vhd  *.img and some more
-Possibility to use ms virtualdisk api to load (any) vhd
disks for now are non permantent : will be unmounted when the application close.
 
This version introduces the MS native virtualdisk api. More to come.
I am struggling for now to get a handle to a virtualdisk that my current process did not create and therefore cannot detach it in such case.
Need to dive into the VDS COM interfaces (not so friendly).
 
/erwan


#7 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1914 posts
  • Location:Nantes - France
  •  
    France

Posted 09 October 2013 - 11:37 AM

version 1.2

-can dump/save a physicaldrive to an image file (useful for memory disk) -> right click on the selected vdisk and go

 

/erwan



#8 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1914 posts
  • Location:Nantes - France
  •  
    France

Posted 26 April 2014 - 05:16 PM

@Wonko, in another thread/post (can find a link to it), you have mentionned that a command line would be helpful.

 

Should be rather easy but as you know when it comes to "friendlyness" I suck :)

Would you be so kind to define the command line parameters for me? Then I would make it happen.

 

Thx !

Erwan



#9 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13440 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 26 April 2014 - 05:55 PM

@Wonko, in another thread/post (can find a link to it), you have mentionned that a command line would be helpful.

 

Should be rather easy but as you know when it comes to "friendlyness" I suck :)

Would you be so kind to define the command line parameters for me? Then I would make it happen.

 

Thx !

Erwan

Sure, the thread is this one:

http://reboot.pro/to...-disk-from-ewf/

http://reboot.pro/to...m-ewf/?p=183495

 

My idea was to get the actual command lines the tools by Olof have, set aside the ones involving/requiring the stupid bloat that .NET (and version 4.0 of it) represents, and replicate the SAME commands in a plainer, smaller tool to be used, still with the same syntax as the original Olof's one for those that would use the driver in a more limited (let's say plainer XP or smallish PE 1.x/2.x/3.x/4.x/5.x) to do simpler things.

 

:duff:

Wonko



#10 Blackcrack

Blackcrack

    Frequent Member

  • Advanced user
  • 309 posts
  •  
    Germany

Posted 27 April 2014 - 08:06 AM

Cool erwan.l,
thank you !

best regards
Blacky

#11 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13440 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 27 April 2014 - 01:34 PM

On second thought, and alternatively, it would make sense (if possible at all) to use the same approach the good ol' VDK by Ken Kato has, the idea of "telescopic" commands has always seemed nice to me, reference:

http://reboot.pro/to...rement/?p=79933

 

:duff:

Wonko



#12 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1914 posts
  • Location:Nantes - France
  •  
    France

Posted 27 April 2014 - 04:08 PM

ImgMountCMD 0.1.

 

Very very early proof of concept.

 

Binary is 50KB, does not need any runtime or dependencies apart from the arsenal driver installed.

 

It does little for now :

 

ImgMountCMD file add path
ImgMountCMD file new path size(MB)
ImgMountCMD file shm name
ImgMountCMD file remove id
ImgMountCMD vm add path
ImgMountCMD vm new size(MB)
ImgMountCMD vm remove id
ImgMountCMD list
ImgMountCMD removall
 
Command line syntax is also not defined yet but just there to test/debug. 
 
On the todo list :
 
-install/start/stop driver (for now it has to be installed and started)
-awealloc support
-vhd support thru virtdisk (not sure since vmount already does it)
 
EDIT1:
Replaced attachment with a URL.
Download HERE.
 
EDIT2:
Below devio examples if you want to play with SharedMemory (SHM) :
devio shm:disk \\.\PhysicalDriveX 0 0
devio shm:disk c:\disk.img 0 0


#13 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13440 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 27 April 2014 - 04:34 PM

@erwan

Something is "wrong" with the attachment.

It cannot be found.

Please try deleting it and re-adding it. :unsure:

 

:duff:

Wonko



#14 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1914 posts
  • Location:Nantes - France
  •  
    France

Posted 27 April 2014 - 04:45 PM

@erwan

Something is "wrong" with the attachment.

It cannot be found.

Please try deleting it and re-adding it. :unsure:

 

:duff:

Wonko

 

just re uploaded it.

while i was it, it is a new version :)



#15 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1914 posts
  • Location:Nantes - France
  •  
    France

Posted 27 April 2014 - 06:52 PM

Version 0.2 (here)

 

Added the driver check/install/remove.

You need devcon.exe next to the binary (just like the ImgMount GUI).

 

Drivers (latest) and DevIO included in the zip file.

 

Only awealloc support missing for now in the console version.

 

ImgMountCMD file add path
ImgMountCMD file new path size(MB)
ImgMountCMD file shm name
ImgMountCMD file remove id
ImgMountCMD vm add path
ImgMountCMD vm new size(MB)
ImgMountCMD vm remove id
ImgMountCMD list
ImgMountCMD removall
ImgMountCMD driver check
ImgMountCMD driver install driver.inf
ImgMountCMD driver remove


#16 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1914 posts
  • Location:Nantes - France
  •  
    France

Posted 01 May 2014 - 04:27 PM

Version 0.3 here.

 

Added physical memory support (vs virtual memory) thru awealloc.

Awealloc drivers included.

 

Next version will have x32 and x64 support.

 

Syntax :

 

ImgMountCMD file add path
ImgMountCMD file new path size(MB)
ImgMountCMD file shm name
ImgMountCMD file remove id
ImgMountCMD vm add path
ImgMountCMD vm new size(MB)
ImgMountCMD vm remove id
ImgMountCMD pm add path
ImgMountCMD pm new size(MB)
ImgMountCMD pm remove id
ImgMountCMD list
ImgMountCMD removall
ImgMountCMD driver check
ImgMountCMD driver install driver.inf
ImgMountCMD driver remove

  • bilou_gateux likes this

#17 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1914 posts
  • Location:Nantes - France
  •  
    France

Posted 02 May 2014 - 04:00 PM

For information, tested under Winpe 5 X86 (ver 6.3.9600) : works perfect.

 

From driver installation, to mouting/removing a disk, driver removal.

 

Another perfect companion on my WinPE toolset :)



#18 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13440 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 30 April 2015 - 02:21 PM

Two things, one for fun and one serious:
1) Mark Spencer (the good guy from Arsenal Recon) just announced some work into making the Arsenal driver more "user oriented":
http://www.forensicf...577959/#6577959
so you'd better get ready for the competition. ;)
2) I somehow forgot to mention it here on reboot.pro but by mere chance it came out that MS released the source for devcon.exe:
https://code.msdn.mi...Sample-4e95d71c
and a nice peep over at MSFN (besides providing this piece of news) released also a pre-compiled version:
http://www.msfn.org/...mation-package/

Maybe now is the right time to remove that stupid need/dependency and provide an "all included" package.

:duff:
Wonko

#19 Olof Lagerkvist

Olof Lagerkvist

    Gold Member

  • Developer
  • 1334 posts
  • Location:Borås, Sweden
  •  
    Sweden

Posted 01 May 2015 - 11:57 AM

2) I somehow forgot to mention it here on reboot.pro but by mere chance it came out that MS released the source for devcon.exe:
https://code.msdn.mi...Sample-4e95d71c
and a nice peep over at MSFN (besides providing this piece of news) released also a pre-compiled version:
http://www.msfn.org/...mation-package/

Maybe now is the right time to remove that stupid need/dependency and provide an "all included" package.

 

 

Source code for devcon.exe has been open for at least 10 years, probably more than that, so that's nothing new by itself. The problem with this code is the license terms, or at least was, I don't know if that has changed. If it has recently changed to something more "relaxed", it would indeed be extremely useful for so many projects.



#20 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13440 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 01 May 2015 - 12:09 PM

THe "news" are that seemingly it is now classified "code sample" and it is released under MS LPL 1.1 as quoted in the given thread:
http://www.msfn.org/...e/#entry1091396

Which I am however quoting below:

Spoiler

I don' t see any particular limitation :unsure:

 

:duff:

Wonko



#21 Olof Lagerkvist

Olof Lagerkvist

    Gold Member

  • Developer
  • 1334 posts
  • Location:Borås, Sweden
  •  
    Sweden

Posted 01 May 2015 - 12:23 PM

THe "news" are that seemingly it is now classified "code sample" and it is released under MS LPL 1.1 as quoted in the given thread:
http://www.msfn.org/...e/#entry1091396
 
I don' t see any particular limitation :unsure:


Not me either, so I agree. This is really good news and I am very happy to see that. Thanks a lot for sharing this piece of developer-frustration-saving information! :thumbsup: :hi:



#22 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1914 posts
  • Location:Nantes - France
  •  
    France

Posted 01 May 2015 - 01:18 PM

Two things, one for fun and one serious:
1) Mark Spencer (the good guy from Arsenal Recon) just announced some work into making the Arsenal driver more "user oriented":
http://www.forensicf...577959/#6577959
so you'd better get ready for the competition. ;)
2) I somehow forgot to mention it here on reboot.pro but by mere chance it came out that MS released the source for devcon.exe:
https://code.msdn.mi...Sample-4e95d71c
and a nice peep over at MSFN (besides providing this piece of news) released also a pre-compiled version:
http://www.msfn.org/...mation-package/

Maybe now is the right time to remove that stupid need/dependency and provide an "all included" package.

:duff:
Wonko

 

These are both good news !

Thanks for that.

 

On note, on this thread (http://www.forensicf...577959/#6577959) you mention that ImgMount does not have provision for EFW.

Not sure what you mean but ImgMount can use devio+ewf proxy to mount such an image.

Or may be you meant ImgMount+EWF without the use a of proxy?



#23 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13440 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 01 May 2015 - 02:08 PM

Not me either, so I agree. This is really good news and I am very happy to see that. Thanks a lot for sharing this piece of developer-frustration-saving information! :thumbsup: :hi:

Of course it will be needed to see if - unlikely what is stated on that page /win dows 7 and later only) - it can be compiled for XP use (BUT the compiled sample posted on MSFN seemingly works fine on my XP SP2  and it has a dependency on the "generic" msvcrt.dll).

 

:duff:

Wonko



#24 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13440 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 01 May 2015 - 02:20 PM

On note, on this thread (http://www.forensicf...577959/#6577959) you mention that ImgMount does not have provision for EFW.

Not sure what you mean but ImgMount can use devio+ewf proxy to mount such an image.

Or may be you meant ImgMount+EWF without the use a of proxy?

 

I simply meant that when you open the GUI there are options to open (or "add from file"):

  • raw image disk
  • monolithic vhd
  • monolithicflat vmdk
  • Microsoft Virtualdisks

which can be expressed as "though this particular GUI has not - yet - a provision for EWF" and since additionally in the imgmount package there is no devio.exe nor any proxy, and not any of the libs (like libewf), it simply means that the GUI tool is not yet ready "as is" for that.

 

The "theme" was making the Arsenal Image thingy "ready for final users" and your IMGMOUNT tool is a nice step in the right direction :thumbsup: but while entirely possible, as we have seen in the last few days, setting up a devio+proxy is far from being at "common" or "final" user level.

 

:duff:

Wonko



#25 steom

steom

    Newbie

  • Members
  • 28 posts
  •  
    Italy

Posted 16 October 2015 - 07:36 AM

it's possible to mount remote raw image?

 

something like devio 9000 \\.\physicaldrive0 /argument........ on a remote winpe

and use imgmount to mount the raw image?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users