Hello,
I am having problems creating a forensic image of external WD 2 and 3 TB HDDs using the Forensic Falcon and TD1.
Outside the enclosure via SATA write blocker no partitions/volumes can be read.
Inside the enclosure via USB write blocker partitions/volumes are visible.
Creating a E01 compressed image of the HDD outside the enclosure succeeds with the Falcon.
However, when I load up the image using FTK Imager or Encase it displays as an "unrecognized file system".
Anyone else experience this?
Creating an E01 compressed image of the HDD outside the enclosure succeeds with the TD1.
However, when I load up the image using FTK Imager or Encase it says it can't load the image or evidence.
Anyone else experience this?
Presently imaging the 3 TB HDD inside the enclosure via USB cable using the Falcon.
I am having problems creating a forensic image of external WD 2 and 3 TB HDDs using the Forensic Falcon and TD1.
Outside the enclosure via SATA write blocker no partitions/volumes can be read.
Inside the enclosure via USB write blocker partitions/volumes are visible.
It is possible that the disk enclosure "translates" the sector size of the hard disk, if it is an AF drive of the 512e kind.
These disks are internally using 4096 bytes/sector, but they use an internal translation to expose to the OS "normal" 512 bytes/sector.
A Usb bridge may decide that the "right "size is 4096 and expose this latter.
Check the first few posts here
http//
And check also these (possibly *somehow* connected)
http//www.forensicfocus.com/Forums/viewtopic/t=11431/
http//www.forensicfocus.com/Forums/viewtopic/t=11901/
jaclaz
Some WD drives (eg My Passport) use a USB interface that is an encryption module.
This is easy to see as the raw data on the drive will be encrypted one line (0x10) bytes at a time. Look with a hex viewer. You should see where there is data, and blanks will be a repeating pattern of data. Data will be 'random' data
The simple solution is to read via the USB interface.
Thanks guys for the responses and I apologize for the late response.
I was able to create an image using the Logicube Forensic Falcon via the USB interface, E01 max compression to another 3 TB HDD.
Now I have to make another working copy, because the first one I made failed to hash out.
These big HDDs are killing me.
Imaging these large drives are kinda like the Rotisserie ads I use to see on TV. Set it and forget it. LOL
I too am having the same issue described with a Western Digital MyBook 1140 3TB external hard drive with USB 3.0. (I can view the contents manually but imaging is unsuccessful). Initially, I made an image using Tableau write-blocking bridge via the USB interface, which resulted in an E01 image with an unrecognized file system through FTK Imager.
Like mentioned above, this hard drive is being read in 4096 byte sectors by Windows, so I created another E01 image using write-blocking software from ACES, hoping the Tableau hardware was causing the problem, but got the same result.
The odd thing in my opinion here is that when hashed out, the image matches the hard drive.
I do not have access to Logicube Forensic Falcon, but do have Tableau TD3. I tried TD3 but it encounters errors and fails as well.
Any additional information on this issue that might be of help?
If it is an external drive and you image it without using the enclosure the data doesn't show up right, image through the enclosure dont take the hard drive out and image.
Sorry on phone so cant type long response.
I have left it in the enclosure for both of my attempted E01 images, due to the encryption module mentioned above.
We need to draw a line *somewhere*. 😯
An "unrecognized filesystem in FTK imager" may mean BOTH "an unrecognized filesystem because the image is NOT a valid image (or it is encrypted or it corrupted)" or "an unrecognized image because FTK imager fails to recognize it (because of different sector size or for *any* other reasn connected to FTK imager)".
Extract the MBR and the PBR(s), are they valid or not?
Try using alternate software to mount the image or inspect it's RAW contents, as an example you may want to try mounting it with the OSForensics driver (cannot say if it supports 4096 bytes sectors though)
http//
jaclaz
To clarify, the MBR is not valid, neither on the live drive itself or the E01 image (which I would expect). Due to this, mounting the image will not allow me to view its contents as Windows wants to format the hard drive.
My confusion begins when FTK Imager reads the orphaned contents of the live drive perfectly fine, but is unable to read a verified image of the same drive.
I'll create a RAW image of the drive over the course of today and see if that works any differently, but I would still like to have an understanding of what's going on with the E01.
Update The hex of the E01 image shows it is encrypted line by line. I completed a RAW image and this works fine and is processing through FTK now, so everything is good and my evidence is intact.
If anyone has any idea why an E01 image would react this way and a RAW image would not I'd appreciate the input, as I'd still like to have a better understanding of what happened.