Notifications
Clear all

EnCase question

5 Posts
3 Users
0 Likes
1,992 Views
mc02
 mc02
(@mc02)
Posts: 20
Eminent Member
Topic starter
 

Hi everyone,

I have a notebook hard disk that has a dual boot of linux and windows XP. Once i've acquired it, i can see all the drive partitions namely C drive and D drive for windows and the typical linux partitions.

Using encase 4.22a, it shows C drive to be empty while D drive has all the system files and program files. I decided to restore the image to a wiped forensic hard disk and boot into windows XP. Once booted it shows it only has one partition (drive C) and there were a lot of files inside that i did not see from encase.

Can anyone help me understand why i could see the files in C from encase? I didnt use any other forensic software yet, im still tryin to convert the encase files to DD using FTKimager.

Regards
MC

 
Posted : 03/10/2007 6:48 am
(@mas66)
Posts: 21
Eminent Member
 

Hi everyone,

I have a notebook hard disk that has a dual boot of linux and windows XP. Once i've acquired it, i can see all the drive partitions namely C drive and D drive for windows and the typical linux partitions.

Using encase 4.22a, it shows C drive to be empty while D drive has all the system files and program files. I decided to restore the image to a wiped forensic hard disk and boot into windows XP. Once booted it shows it only has one partition (drive C) and there were a lot of files inside that i did not see from encase.

Can anyone help me understand why i could see the files in C from encase? I didnt use any other forensic software yet, im still tryin to convert the encase files to DD using FTKimager.

Regards
MC

Hi
Im not sure I really understand what you have done here …… when you imaged the drive did you image the physical device or just one of the partitions ?

Mark

 
Posted : 03/10/2007 7:34 am
mc02
 mc02
(@mc02)
Posts: 20
Eminent Member
Topic starter
 

I imaged the physical drive, the whole hard disk.

 
Posted : 03/10/2007 7:53 am
(@mas66)
Posts: 21
Eminent Member
 

I imaged the physical drive, the whole hard disk.

The reason I asked the question is that you keep refereing to C and D….. when you use encase to create an image the physical device is numbered.

When you are viewing the image in 4.22 the C and D that encase displays do not reflect what may have been actually allocated on the drive.

This is a guess… that encase is displaying your XP partition as D and is having difficulty displaying the other partition, hence that it appears empty. Therefore when you do the restore you are only getting the functioning XP partition. Hope that makes sense.

Try… re imaging with another tool or viewing the existing image in another tool. Rather than trying to convert the image.

Please dont take any of this as a definative answer its just my thoughts… im sure some of the other guys may be able to help

Mark

 
Posted : 03/10/2007 10:06 am
balzanto
(@balzanto)
Posts: 57
Trusted Member
 

Is the volume EnCase isn't showing a supported file system within EnCase?

Since you know the file system, have you tried to add the partition manually?

 
Posted : 13/10/2007 9:03 am
Share: