Notifications
Clear all

Encase Carving

9 Posts
3 Users
0 Likes
612 Views
(@gremodic)
Posts: 24
Eminent Member
Topic starter
 

Hi to all,
i have a problem…. i have a CD-Rom acquired with encase 6.15 now when i analyze this image or analyze directly the CD-Rom i see only unallocated cluster, but i know for sure that there is an mpg file, i'm sure because foremost and isobuster have found this file, now i have tried with case processor and the other way you have write before but i don't found nothing……what can i do to find this file with encase??

 
Posted : 22/03/2010 2:24 pm
(@rich2005)
Posts: 536
Honorable Member
 

Its probably EnCase being rubbish at parsing the particular filesystem you have on the disc. Its particularly bad at UDF from memory.
(I've requested much better support but that's probably scheduled for 2020 some time).
What are you trying to do particularly with EnCase? Is there a reason you can't report using a different tool? (such as IsoBuster as you say)
Is it a CDR or CDRW?

 
Posted : 22/03/2010 4:18 pm
(@gremodic)
Posts: 24
Eminent Member
Topic starter
 

It's 1 CD-R and 1 DVD-RW, no no i can use the other product but mine is a simple curiosity about encase….you know how much cost encase and so i was surprised of this situation…and for be sure from now to analyze cd e dvd with other tools and not with encase…

 
Posted : 23/03/2010 4:56 pm
benfindlay
(@benfindlay)
Posts: 142
Estimable Member
 

Sounds like when you added it to EnCase you haven't added it as a raw image.

You can sort this by choosing File >> Add Raw Image, specify that its a CD-ROM, and right click in the components box to add the path to the file in question. Oh, and don't forget to fill in a name for the exhibit!

That work?

 
Posted : 23/03/2010 5:03 pm
(@gremodic)
Posts: 24
Eminent Member
Topic starter
 

I have this problem also if i don't add an image but add directly the cd-rom…is the same …by the way i try what you say but without results

 
Posted : 23/03/2010 5:09 pm
benfindlay
(@benfindlay)
Posts: 142
Estimable Member
 

In which case, has EnCase reverted to Acquisition mode? Look in the menu bar; if the word Acquisition is present, EnCase has lost contact with your dongle. If so, take the dongle out, reconnect it and restart EnCase.

Hope this helps

 
Posted : 23/03/2010 5:15 pm
(@gremodic)
Posts: 24
Eminent Member
Topic starter
 

i undesrtand what you say but it isn't a dongle problem i have tried to analyze image with other tools and its ok….with encase no i have tried to add the E01 file as a normal encase and as a raw image

 
Posted : 23/03/2010 5:30 pm
benfindlay
(@benfindlay)
Posts: 142
Estimable Member
 

Ok, with those 2 problems eliminated, can you open the E01 files in another program and see what you get, for example Autopsy or Blade, or try mounting it with Mount Image Pro or mount-ewf? The E01 file could be corrupt, or EnCase could be at fault. If it opens with another tool, then the problem is within EnCase. If it won't open with another tool, then I would recommend re-acquiring the image

 
Posted : 23/03/2010 5:33 pm
(@gremodic)
Posts: 24
Eminent Member
Topic starter
 

i can open encase files with other tool and i see this file, if i open cd with normal browser i can't see nothing probably the system files was deleted, i don't believe is a problem of acquisition
i have tried to acquire and analyze directly cd rom more and more times

 
Posted : 23/03/2010 5:37 pm
Share: