Question: Mounting a Volume (not a disk)

[bridgeythegeek]

Is it possible to use AIM to mount an E01 of a volume (not a disk)?

AIM mounts the E01 successfully but of course Windows sees it as a disk, so tries parsing Sector 0 as an MBR. Because the E01 is in fact of a volume, Sector 0 is a VBR. Consequently, Windows doesn't find an MBR/MPT and so presents the disk as RAW.

I wondered if Windows can be "told" its a volume, rather than a disk. Or whether some kind of fake MBR could be shim'd in order to present an MPT which points to a volume at sector 1?

[LTRData]

It usually helps to emulate a removable disk in cases like these. It will appear pretty much like a USB thumb drive without partition table which is fully supported by Windows.

[bridgeythegeek]

Thank you for the suggestion. I think I did this, by checking the Create "removable" disk device checkbox in the Mount options dialog. Although the Windows 'Disk Management' snap-in now shows "Removable" under the disk identifier, it is still presented as a RAW disk rather than as a volume.

[LTRData]

Oh, I have not seen that problem very often. Usually it helps. Do you mount it as read-only? Could you try write-temporary instead and see if that helps? Sometimes Windows cannot mount an NTFS volume read-only depending on which state the file system was left in. Is it NTFS in this case or some other file system?

[bridgeythegeek]

Good suggestion; it is indeed an NTFS volume. I had mounted it as read-only, but just tried write-temporary - same problem, still RAW.

However, in case it was something weird with my particular E01, I just conducted the following experiment:

1. Using the 'Disk Management' snap-in I created a 1GB VHD file (saved to Desktop).
2. I initialized the mounted VHD with an MBR.
3. I created a Simple Volume to fill the disk, formatted NTFS.
4. I then used FTK Imager to acquire the logical volume to an E01.
5. I could then successfully mount the volume via AIM (Create "removable" disk device unchecked and read-only selected).

So this suggests AIM and Windows are behaving as expected and there's something peculiar about the E01 (even though XWF and FTK Imager seem quite happy with parsing it).

Thanks for your assistance though! If I can figure out the problem I shall report it here in case others suffer it 👍

[LTRData]

Yes it's usually better and more compatible with OS features to emulate a full disk like Arsenal Image Mounter does, but there are certainly some rare cases where it turns out to be the other way around.

Thanks for your feedback!

[bridgeythegeek]

In case it's useful, I ended up writing a (corporate) blog post about this problem and how I solved it.