Tableau Encase Acqu...
 
Notifications
Clear all

Tableau Encase Acqusition problem

2 Posts
2 Users
0 Likes
423 Views
(@pixff)
Posts: 1
New Member
Topic starter
 

So a little background first

I work at an IT-Security firm that currently doesn't handle forensic cases but me and a senior collegue have been tasked to handle a case from a customer. The reason I was one of the people assigned to the case is because I took some forensic classes when I studied for my Bsc and I do some work on my spare time, mostly with volatility as well as trying out a few challenges here and there.

To the problem

The company has an Old Tableu TD1 and Encase 6 that we used to duplicate an external 1TB USB drive after removing the case using fat32 and splitting the clone into several E01 files. We duplicated the disk to an ordinary 3TB data disk that when put in a HDD bay and connected to my W8 laptop that failed to recognize the filesystem and refused to letting me have access to the disk. I tried acquring the physical disk through Encase. This worlds but just gave me access to the disk clone file structure (including the E01 files) but not the disk that was cloned, is this possible in any way?

Well after trying back and forth with for a while with no progress, we connected the HDD bay to my collegues Mac and it actually found the filesystem, and we copied all the E01 files to another USB-drive and finally to my laptop with Encase on it.

After this we fired up Encase and dragged the first E01 file into Encase, now the file is is visible as an image in Encase named IMAGE, but I can't seem to access the file structure.

So my question is, where have I gone wrong, why can't I access the file system? Was it because I just copied the E01 files from the disk clone or could it be something else?

I have previous experience with working Encase, but all cases I've done I've just been handed or downloaded an image to work with.

Sorry for all the spelling and formatting mistakes as I'm currently on my phone.

Any help and input appreciated.

 
Posted : 15/08/2014 1:18 am
(@athulin)
Posts: 1156
Noble Member
 

The company has an Old Tableu TD1 and Encase 6 that we used to duplicate an external 1TB USB drive after removing the case using fat32 and splitting the clone into several E01 files. We duplicated the disk to an ordinary 3TB data disk that when put in a HDD bay and connected to my W8 laptop that failed to recognize the filesystem and refused to letting me have access to the disk. I tried acquring the physical disk through Encase. This worlds but just gave me access to the disk clone file structure (including the E01 files) but not the disk that was cloned, is this possible in any way?

Let me see if I get this right.

A. You've imaged the original disk to an EnCase 6 image (.e01) on some computer
B. You've then 'duplicated' that image to a new drive.
C. The new disk, connected to a W8 system, can't be recognized

Question How exactly did you perform step B? Is it a 'restoration' or did you 'export' the files or … If restore How did you verify that step B did produce a true copy? Did you hash it? Or perhaps something less rigorous such as spot-testing random sectors?

Question (I'm guessing NTFS.) What did you do to bypass NTFS access restriction mechanisms? Any restored file system would have the original NTFS access rules in place, and the first step that normally needs to be done is that an Administrator takes ownership of all 'external' files. Only files that were written with access rights for everyone would be visible on the new system. Is that what stopped you?

Question What do you mean by 'This worlds but just gave me access to the disk clone file structure (including the E01 files) but not the disk that was cloned'? A 'cloned' disk to me is a sector-by-sector copy … it can't contain any E01 of the original file.

If you see .e01 files when you preview the new hard disk … my first guess is that you didn't restore the image correctly, but instead got the image files copied to the drive. Or … that you didn't really clone the drive, but instead exported the file system to the new drive. And then added the image files to the root directory of the disk.

After this we fired up Encase and dragged the first E01 file into Encase, now the file is is visible as an image in Encase named IMAGE, but I can't seem to access the file structure.

(Just pathologically curious why didn't you do this already after step A? You should have had the files on the system where you had EnCase already then … )

What version of EnCase 6 are you using? Some releases had problems with the dongle, and occasionally lost contact with it. If that happened, you typically couldn't not do any useful work until the dongle got back on-line (as far as EnCase was concerned).

You may want to examine the case files with something like FTK Imager or OsForensics (or MountImage Pro or … ) to ensure you've actually have a workable image.

Or … if it's the NTFS protection that has you stumped … take ownership of the files.

 
Posted : 16/08/2014 2:13 pm
Share: