Restore HD Image fr...
 
Notifications
Clear all

Restore HD Image from EO1

9 Posts
5 Users
2 Likes
8,230 Views
(@olifer)
Posts: 63
Trusted Member
Topic starter
 

Greetings:

I have a forensic image (EO1) that was created by a Tableau TD2.  The source media was a hard drive that was removed from a Linux based DVR system.  A request has been made by our client to see if we can create a "working copy" of the original content from this EO1.  Since the TD2 does not have the ability to restore to disk natively, I'm trying to find a solution that will give me the best chance of accomplishing this task.  Thanks in advance for your help. 

 
Posted : 17/12/2020 7:10 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

There are several tools capabple of converting an EWF/.e01 image to RAW (dd-like).

On Windows (among others) FTK Imager or OFSmount:

https://www.osforensics.com/tools/mount-disk-images.html

(to mount the phyicaldrive) and your prederred dd/cloning tool will do nicely.

jaclaz

 
Posted : 19/12/2020 1:39 pm
(@olifer)
Posts: 63
Trusted Member
Topic starter
 

@jaclaz

Thanks for the reply jaclaz.  Mounting the image is step one, and relatively easy.  Creating a working copy of it to a new HDD with the unknown file system is the step that I'm having difficulty with.  

 
Posted : 19/12/2020 2:29 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Well. I believe you are missing that partitioning styles and filesystems are irrelevant. in the context of .e01 or RAW images.

The .e01 image has been made from a source device.

An .e01 is a (compressed) image of a "physicaldrive", i.e. a "whole device", from its first sector/block to its last sector/block.

A RAW (or dd-like) image (converted from a .e01) is a (non-compressed) image of a "physicaldrive", i.e. a "whole device", from its first sector/block to its last sector/block.

If you apply (through a suitable tool/process) to a (suitable) target device either of:
1) a .e01 image
2) a RAW image

what you obtain is a "clone" of the source.

If you prefer (and this is almost the whole point of forensics imaging) if you make an image of a "whole device" you can anytime make a "whole device" out of the image, no matter the contents of the image.

dd (or similar tools) reads what is on device and saves it in the image file, then dd (or similar tools) can read what in is in the image and save it on (new, other) device without interpreting the contents.

So, the net effect of:
1) taking a .e01 image off a device
2) converting the .e01 to RAW
3) dd-ing the RAW image to a new device

OR

1) taking a .e01 image off a device
2) mounting the .e01 to a virtual device
3) dd-ing the virtual device to a new device

is the same and exactly the same as dd-ing directly the original device to the new device, i.e. a "clone", or an exact copy, sector by sector, byte by byte.

So, if the original had an "unknown filesystem", also the copy will have an "unknown filesystem", but it will be a "special" one, identical to the original "unknown filesystem".

What is the problem?

jaclaz 

 
Posted : 19/12/2020 4:27 pm
(@olifer)
Posts: 63
Trusted Member
Topic starter
 

@jaclaz

Thanks again!  The "problem" was that I was too close to the project to be able to step back and look at it precisely as you described.  Thank you very much for your willingness to walk through it.  I am grateful.  

 
Posted : 19/12/2020 4:34 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Happy to have been useful to let you see the matter from a distance, as a general rule/experience sometimes it is needed to voice/write down doubts and - even without a "second opinion" - that is enough to change perspective.

jaclaz

 
Posted : 19/12/2020 6:26 pm
olifer reacted
(@hommy0)
Posts: 98
Trusted Member
 

If you have access to EnCase, you can load the E01 taken with the TD2 into the application and use the restore feature to write the contents of the evidence file to a new physical device.  The requirements are: same size in terms of number sectors as the original or greater.

If I recall, and if you have access, the EnCase Imager application can also be used to restore the contents of the E01 to a new disk (same criteria as above - same size in sectors or greater)

Keep well

 
Posted : 12/01/2021 1:53 pm
bill8808 reacted
bill8808
(@bill8808)
Posts: 1
New Member
 

@hommy0    This worked well and it was easy with Encase and Encase Imager. Thanks

 
Posted : 06/06/2022 7:14 pm
(@gorvq7222)
Posts: 229
Reputable Member
 

EnCase/FTK/X-Ways Forensics could restore .image files to a hard drive without fail. Or forensic duplicators with "File-to-drive" function will do.

 
Posted : 30/06/2022 10:06 am
Share: