±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36209
New Yesterday: 3 Visitors: 143

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Windows 10 Home Edition Storage Pool

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

JimIRIS
Newbie
 

Windows 10 Home Edition Storage Pool

Post Posted: Jul 11, 19 16:21

I have EnCase forensic images of three hard drives from a gaming PC as follows:

#1 - 1TB SSD
#2 - 4TB HDD
#3 - 4TB HDD

I do not have access to the computer or drives themselves. Photos only identify the computer as TUF Gaming (Asus?) with bar code label 027118158813.

I have added the three evidence files to a new case in EnCase Forensic v8.05 and when I open the evidence I can see the OS on the SSD (Windows 10 Home Edition).

The two HDD's each have C and D partitions of all unallocated space but I do see data in the disc view. I have tried using EnCase Scan Disk Configuration but after seeing activity on my forensic machine stop nothing happens.

I have contacted OpenText support who recommended Raid Reconstructor. I downloaded the trial with no success and contacted their support and was told that they do not support EnCase Images and I would need the original drives.

I do see "Microsoft Reserved Partition" and "Windows Storage Pool" in sector 2 of each of the 2 4TB HDD's. Any suggestions? Please let me know if you need additional information. Thank you!  
 
  

jaclaz
Senior Member
 

Re: Windows 10 Home Edition Storage Pool

Post Posted: Jul 11, 19 18:35

Actually I believe you could use the images (as opposed to the original drives), converting them to RAW ones.

The issue might be that you would need (if kept as images and use a virtual disk driver) two 6 TB disks or - if you temporarily deploy them to disk - two 4 TB disks.

Also, you should check the images contents.

Often (but not always) such "Storage Spaces" are simple RAID 1 (mirroring), i.e. the two disks have almost identical contents.

Also, the filesystem actually used could make a difference, is it ReFS?

I think that X-Ways/WinHex supports them, but you'd better ask for confirmation.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

randomaccess
Senior Member
 

Re: Windows 10 Home Edition Storage Pool

Post Posted: Jul 13, 19 05:46

Have you tried getting something like arsenal image mounter, mounting the images and seeing if Windows automagically takes care of it for you?  
 

Page 1 of 1