Mount As Drive Letter
Available in X-Ways Forensics and WinHex Lab Edition. (For evidence file containers with no more than 1,000 objects with any license type for WinHex, even in the evaluation version, free of charge.)
Allows to mount the volume that is represented by the active data window as a Windows drive letter, either entirely (if the command is invoked in the Specialist menu or in the case tree context menu for a whole volume) or partially (if applied to a directory or file with child object using the directory browser context menu or the case tree context menu). This allows for convenient and quick access to all files with external programs where necessary (without the need to copy the files to your own local drive letter first). Very efficient in particular if you wish to check a whole volume or directory or certain files with a virus scanner. Mounting works for all the file systems that are supported, for all partitioning methods supported and all image types supported (in X-Ways Forensics: raw images, .e01, VDI, VMDK, VHD, and of course evidence file containers), even for images within images, also for partitions of physically attached disks formatted with a file system unknown to Windows. Access to all the files is complete read-only, mounting of volumes in images or disk partitions will not change anything in the image/on the disk. To unmount a drive letter, simply invoke the mount command in any of the menus again and click the Cancel button.
You can choose to see all existing and optionally all known deleted files from the volume in the drive letter, exactly the same files as known from the very thorough volume snapshot of X-Ways Forensics itself, which depends on whether you have refined it already or not. Optionally filtered out files can be omitted from directory listings. Child objects of files (files in files) are optionally exposed as well, presented as files in an artificial directory that has the same name as the parent file, with just a single character appended to render the name unique, as you may know it from the Recover/Copy command. By default, that suffix character is invisible, i.e. a Unicode character with no width, to make the path of the child objects look as original as possible. You may wish to replace that character with something else, e.g. an underscore, for example because you are working with an external program that is not Unicode-capable. For that you need to remove the invisible character from the edit box first, for example by pressing the Backspace key, which works even if it does not have any visible effect. After that you can insert any other character.
Previously existing items are listed optionally, and if listed, they are presented with the "hidden" attribute, so that they can be visually distinguished from existing items even in the Windows Explorer a.k.a. File Explorer. Virtual directories are presented in the same way. (Of course, hidden files are displayed in Windows only if you choose to see them, see Tools | Folder options | View.) Existing files are listed optionally as well (but existing directories mandatorily, as they are potentially needed to navigate to certain previously existing files). Virtual files in a volume snapshot as well as internal files of the file system (e.g. $MFT in NTFS and Catalog in HFS+) are included optionally, and so are original names and locations of files that that have been renamed/moved. Special objects like alternate data streams, extracted e-mails, video stills, embedded thumbnails, manual file excerpts, etc. etc. are presented in the mounted drive as ordinary files. File slack is not exposed. Files with identical names in the same directory (e.g. 1 existing, 1 previously existing file, up to 16) are not problematic with mounting. Such files can be opened from within mounted volumes through the drive letter as if they had unique names.
This function requires Windows 7 and later and the installation of a driver (which will be started when you use any of the mount commands for the first time) and the Microsoft Visual C++ 2013 Redistributable Package (which is not included in Windows by default and may need to be downloaded). That means that this particular part of X-Ways Forensics is not portable, but it's not a typical function for previews of live systems anyway.
Interactivity: Deleting a file in a volume mounted by X-Ways Forensics in Windows of course does not delete the file in the image or on the disk, but under Windows 7 can optionally trigger one of the following actions in the volume snapshot:
1) exclude the file in the volume snapshot
2) mark the file as already viewed, or
3) associate the file with a report table of your choice.
The latter is very useful if you mount the volume in order to check the files for malware with an external virus scanner. Should the virus scanner delete or quarantine any of the files, X-Ways Forensics will notice that and add the file to the specified report table. Note that if you manually move a file off the volume to some other drive letter this will trigger the same action, because that kind of moving is identical to copying followed by deletion. Moving a file within the same volume is not allowed.
Renaming a file in a mounted volume in Windows also renames the file in the volume snapshot. (The original name is preserved and displayed in the directory browser additionally.)