Oh okay, i roughly gets it. Thanks for the explanation!
And sorry!, cause i misread it, and i created on "the unallocated space".
Okay just to confirm, that the first child is the one that i see it after i expand the "part.1ad42" for the first time right? like for example mine is "\\PHYSICALDRIVE1\Parition 1".
so is part1.ad42 > PHYSICALDRIVE 1 > Export Logical Image AD1 > Image fragment set to 20,000
because i tried it again and i got roughly the same size again, this 8.14gb this time.
am i doing something wrong here? (
I would provide you an alternate explanation.
If the size in the field "Image Fragment Size" is big enough to contain all the data, only one file with extension .ad1 is created, i.e. there is only a fragment.
If the size in the field "Image Fragment Size" is not big enough to contain all the data, as many files as needed are created, everyone but the last being the size specified in"Image Fragment Size" (the last one will normally be smaller than that).
How could this happen?
How could the good guys at Access Data have implemented that?
Maybe they wrote a "descriptive" header for the first file.
Then started writing the actual data until the target file was exactly the given image fragment size,
Then created a "next" file, incrementing the number in the extension, writing a different "continuation" header and continued writing the data from the point they stopped writing it in the "previous" file, up to when they reached in this file the set size, and created a new "next" file, etc. until all data has been written.The actual "descriptive" header (and the beginning of the data) is only in the first file of the set, the .ad1, so the FTKimager, no matter if you choose to add the file .ad2 (or .ad42) to the evidence tree will always look for a file with the same name in the same folder with extension .ad1.
When this file (same name, in the same folder as the selected one but with extension .ad1) is not found, FTK imager cannot recognize the file anymore (simply because one file of the set, actually the first and main one, is missing).
Does this sound as a logical explanation of the behaviours observed? wink
However, WHY did you select to make a logical image of just the "unallocated space"?
(that is one of the "nephews", not the "child" of the .ad file opened in FTK Imager)If you had chosen the actual first child, you would have obtained a "monolithic" file containing all the data.
Maybe you want to try again, delete the monolithic-test.ad1 file and make it anew, this time selecting the right item, the result should be (roughly) 42*200=8,400 Mb or slightly less.
jaclaz
because i tried it again and i got roughly the same size again, this 8.14gb this time.
am i doing something wrong here? (
No, now you are seemingly fine ) .
8.14 GB is not roughly the same size as the 7.19 GB you had before, it seems a lot like the "whole thing".
As always happens there is possibly the usual confusion between GB (gigabytes) and GiB (gibibytes), traditionally a GB was made out of 1024 MB and one MB was made out of 1024 KB, and one KB was made out of 1024 bytes.
With the new SI standards those are called GiB, MiB and KiB, whilst a GB is made out of 1000 MB, a MB is made out of 1000 KB and a KB is made out of 1000 bytes.
Microsoft software still (IMHO more correctly from a historical/philosophical point of view) uses the 1024 multiplier.
So, you had before
41*200 MB + (check the size of the .ad42 file) = 8,200+135=8,335 MB
And now you have
8.14*1024= 8,335 MB
Give or take a few KB (you have 512 bytes more in each post .ad1 file for the header) the result makes sense, you can check the actual size in bytes, the sum of the set of files .ad1-.ad42 should be 41*512=20,992 bytes larger than the size of the "monolithic" .ad1.
In any case, if you now add to the evidence tree both the previous set of files and the newly created one, you should see exactly the same items in them.
jaclaz
Oh cause for the monolithic_test.ad1 it stated the file is 8.5gb, but when i right click properties it says 8.14gb. lol
erm for the task, i dont quite get it, you mean adding which both files to the evidence tree? the "monolithic_test.ad1" and which one? the original ad1 and ad2 of disk image that provided for this assignment? and after i did that what should i do next?
8.14 GB is not roughly the same size as the 7.19 GB you had before, it seems a lot like the "whole thing".
As always happens there is possibly the usual confusion between GB (gigabytes) and GiB (gibibytes), traditionally a GB was made out of 1024 MB and one MB was made out of 1024 KB, and one KB was made out of 1024 bytes.
With the new SI standards those are called GiB, MiB and KiB, whilst a GB is made out of 1000 MB, a MB is made out of 1000 KB and a KB is made out of 1000 bytes.
Microsoft software still (IMHO more correctly from a historical/philosophical point of view) uses the 1024 multiplier.So, you had before
41*200 MB + (check the size of the .ad42 file) = 8,200+135=8,335 MBAnd now you have
8.14*1024= 8,335 MBGive or take a few KB (you have 512 bytes more in each post .ad1 file for the header) the result makes sense, you can check the actual size in bytes, the sum of the set of files .ad1-.ad42 should be 41*512=20,992 bytes larger than the size of the "monolithic" .ad1.
In any case, if you now add to the evidence tree both the previous set of files and the newly created one, you should see exactly the same items in them.
jaclaz
Oh cause for the monolithic_test.ad1 it stated the file is 8.5gb, but when i right click properties it says 8.14gb. lol
erm for the task, i dont quite get it, you mean adding which both files to the evidence tree? the "monolithic_test.ad1" and which one? the original ad1 and ad2 of disk image that provided for this assignment? and after i did that what should i do next?
No, I meant the "monolithic" and the set of files .ad1 to .ad42 you had before, to check that they contain exactly the same things (i.e. that when you created the monolithic image you selected the "right thing").
If you "right click" in Properties you should also see the exact size of a file in bytes, actually two of them, one being the actual size, and one the actual size on disk.
If you sum the size (in bytes) of each of the files in the .ad1 to .ad42 you should obtain a total the same size of the "monolithic" .ad1 file + 29992 bytes.
Now you should be able to make a new "monolthic" image out of the two (.ad1 and .ad2) files you had as assignment, which is one among the requests you made
… i was told that need to decrypt and combined the 2 files in order to get the original disk image file.
The decryption is not needed as the files are not encrypted.
The "combining" is what you asked next and that you have (or should have) now enough knowledge/experience to do.
From that to get the "original disk image file" there is a looong way still (provided that recreating the "original disk image" is actually required/was actually asked, which I doubt).
jaclaz
Okay for now, i have checked the Monolithic (8.14gb) file and i sums up the ad1 to ad41 to check, its the same.
Sorry but i'm still kinda confused on the second part you said, so now do i need to do the same thing for what i did previously on ad1 to the same to ad2? like create another monolithic file, and try to combine them together? and if its so, how to merge/combine the 2 monolithic files together?
Oh cause for the monolithic_test.ad1 it stated the file is 8.5gb, but when i right click properties it says 8.14gb. lol
erm for the task, i dont quite get it, you mean adding which both files to the evidence tree? the "monolithic_test.ad1" and which one? the original ad1 and ad2 of disk image that provided for this assignment? and after i did that what should i do next?
No, I meant the "monolithic" and the set of files .ad1 to .ad42 you had before, to check that they contain exactly the same things (i.e. that when you created the monolithic image you selected the "right thing").
If you "right click" in Properties you should also see the exact size of a file in bytes, actually two of them, one being the actual size, and one the actual size on disk.
If you sum the size (in bytes) of each of the files in the .ad1 to .ad42 you should obtain a total the same size of the "monolithic" .ad1 file + 29992 bytes.
Now you should be able to make a new "monolthic" image out of the two (.ad1 and .ad2) files you had as assignment, which is one among the requests you made
… i was told that need to decrypt and combined the 2 files in order to get the original disk image file.
The decryption is not needed as the files are not encrypted.
The "combining" is what you asked next and that you have (or should have) now enough knowledge/experience to do.From that to get the "original disk image file" there is a looong way still (provided that recreating the "original disk image" is actually required/was actually asked, which I doubt).
jaclaz
Okay for now, i have checked the Monolithic (8.14gb) file and i sums up the ad1 to ad41 to check, its the same.
Sorry but i'm still kinda confused on the second part you said, so now do i need to do the same thing for what i did previously on ad1 to the same to ad2? like create another monolithic file, and try to combine them together? and if its so, how to merge/combine the 2 monolithic files together?
You have tested that you can create a "monolithic" file out of a set of .ad files,
what you did till now is making a single .ad1 file with the same exact contents of the 42 files you generated earlier, the test has ended successfully.
You can do the same with the set of .ad files (.ad1 and .ad2) that came with the assignment.
You asked for that
I was given an disk image and asked to decrypt it to see what's inside, once i open the folder there's 2 files ad1 and ad2. and was given afew softwares to work with it, like OSforensics, Prodiscover, Winhex. i was told that need to decrypt and combined the 2 files in order to get the original disk image file.
jaclaz
Okay Thanks alot for your help throughout, really appreciate it. I'll try work on it and get back to you again. And sorry i might be asking some very easy questions or even things that i should already know, as its really my first time working something like this and using this software, hope you able to bear with me lol.
So technically i have already make the ad1 to "monolithic-test file" so i just need to proceed to do the same thing to ad2 right?
I tried repeat the same steps again to ad2. Add evidence > jo-2009-11-19.ad2 > plug in thumbdrive > Add physical drive > select FAT32, but at this point it still shows "Export Disk Image AD1" instead of AD2.
so do i still proceed everything as per normal? or by default it will shows AD1?
Update i did continue and i realised that all the 42 ad files add up to be the same as the ad1 that i did previously (8.14gb), so the result
the original AD1 file i make into monolithic is 8,514,961 kb
the original AD2 file i make into monolithic is 8,514,985 kb
You have tested that you can create a "monolithic" file out of a set of .ad files,
what you did till now is making a single .ad1 file with the same exact contents of the 42 files you generated earlier, the test has ended successfully.You can do the same with the set of .ad files (.ad1 and .ad2) that came with the assignment.
You asked for that
I was given an disk image and asked to decrypt it to see what's inside, once i open the folder there's 2 files ad1 and ad2. and was given afew softwares to work with it, like OSforensics, Prodiscover, Winhex. i was told that need to decrypt and combined the 2 files in order to get the original disk image file.
jaclaz
To further clear any possible remaining doubt, let's say that you have two files
myniceimage.ad1
myniceimage.ad2
created by FTK imager.
When you click add to the evidence tree and select the myniceimage.ad1 file three things happen
1) in the evidence tree a "new item" named myniceimage.ad1 appears
2) in the background all files named "myniceimage" are "virtually stitched together" (in this case only two, myniceimage.ad1 and myniceimage.ad2, in th eorder given by the number in the file extension)
3) the WHOLE contents of ALL the images with the name "myniceimage" are available as childs of the evidence item
When you click add to the evidence tree and select the myniceimage.ad2 file three things happen
1) in the evidence tree a "new item" named myniceimage.ad2 appears
2) in the background all files named "myniceimage" are "virtually stitched together" (in this case only two, myniceimage.ad1 and myniceimage.ad2, in the order given by the number in the file extension)
3) the WHOLE contents of ALL the images with the name "myniceimage" are available as childs of the evidence item
So to all practical purposes there is NO ACTUAL DIFFERENCE - as long as all files belonging to a "set" are available - between selecting the .ad1, the .ad2 or the .adn file.
jaclaz