Restore HD Image fr...
 
Notifications
Clear all

Restore HD Image from EO1  

olifer
(@olifer)
Member

Greetings:

I have a forensic image (EO1) that was created by a Tableau TD2.  The source media was a hard drive that was removed from a Linux based DVR system.  A request has been made by our client to see if we can create a "working copy" of the original content from this EO1.  Since the TD2 does not have the ability to restore to disk natively, I'm trying to find a solution that will give me the best chance of accomplishing this task.  Thanks in advance for your help. 

Quote
Topic starter Posted : 17/12/2020 7:10 pm
jaclaz
(@jaclaz)
Community Legend

There are several tools capabple of converting an EWF/.e01 image to RAW (dd-like).

On Windows (among others) FTK Imager or OFSmount:

https://www.osforensics.com/tools/mount-disk-images.html

(to mount the phyicaldrive) and your prederred dd/cloning tool will do nicely.

jaclaz

ReplyQuote
Posted : 19/12/2020 1:39 pm
olifer
(@olifer)
Member

@jaclaz

Thanks for the reply jaclaz.  Mounting the image is step one, and relatively easy.  Creating a working copy of it to a new HDD with the unknown file system is the step that I'm having difficulty with.  

ReplyQuote
Topic starter Posted : 19/12/2020 2:29 pm
jaclaz
(@jaclaz)
Community Legend

Well. I believe you are missing that partitioning styles and filesystems are irrelevant. in the context of .e01 or RAW images.

The .e01 image has been made from a source device.

An .e01 is a (compressed) image of a "physicaldrive", i.e. a "whole device", from its first sector/block to its last sector/block.

A RAW (or dd-like) image (converted from a .e01) is a (non-compressed) image of a "physicaldrive", i.e. a "whole device", from its first sector/block to its last sector/block.

If you apply (through a suitable tool/process) to a (suitable) target device either of:
1) a .e01 image
2) a RAW image

what you obtain is a "clone" of the source.

If you prefer (and this is almost the whole point of forensics imaging) if you make an image of a "whole device" you can anytime make a "whole device" out of the image, no matter the contents of the image.

dd (or similar tools) reads what is on device and saves it in the image file, then dd (or similar tools) can read what in is in the image and save it on (new, other) device without interpreting the contents.

So, the net effect of:
1) taking a .e01 image off a device
2) converting the .e01 to RAW
3) dd-ing the RAW image to a new device

OR

1) taking a .e01 image off a device
2) mounting the .e01 to a virtual device
3) dd-ing the virtual device to a new device

is the same and exactly the same as dd-ing directly the original device to the new device, i.e. a "clone", or an exact copy, sector by sector, byte by byte.

So, if the original had an "unknown filesystem", also the copy will have an "unknown filesystem", but it will be a "special" one, identical to the original "unknown filesystem".

What is the problem?

jaclaz 

ReplyQuote
Posted : 19/12/2020 4:27 pm
olifer
(@olifer)
Member

@jaclaz

Thanks again!  The "problem" was that I was too close to the project to be able to step back and look at it precisely as you described.  Thank you very much for your willingness to walk through it.  I am grateful.  

ReplyQuote
Topic starter Posted : 19/12/2020 4:34 pm
jaclaz
(@jaclaz)
Community Legend

Happy to have been useful to let you see the matter from a distance, as a general rule/experience sometimes it is needed to voice/write down doubts and - even without a "second opinion" - that is enough to change perspective.

jaclaz

ReplyQuote
Posted : 19/12/2020 6:26 pm
olifer liked
hommy0
(@hommy0)
Member

If you have access to EnCase, you can load the E01 taken with the TD2 into the application and use the restore feature to write the contents of the evidence file to a new physical device.  The requirements are: same size in terms of number sectors as the original or greater.

If I recall, and if you have access, the EnCase Imager application can also be used to restore the contents of the E01 to a new disk (same criteria as above - same size in sectors or greater)

Keep well

ReplyQuote
Posted : 12/01/2021 1:53 pm
Share: