Greetings:
I have a forensic image (EO1) that was created by a Tableau TD2. Â The source media was a hard drive that was removed from a Linux based DVR system. Â A request has been made by our client to see if we can create a "working copy" of the original content from this EO1. Â Since the TD2 does not have the ability to restore to disk natively, I'm trying to find a solution that will give me the best chance of accomplishing this task. Â Thanks in advance for your help.Â
There are several tools capabple of converting an EWF/.e01 image to RAW (dd-like).
On Windows (among others) FTK Imager or OFSmount:
https://www.osforensics.com/tools/mount-disk-images.html
(to mount the phyicaldrive) and your prederred dd/cloning tool will do nicely.
jaclaz
Thanks for the reply jaclaz. Â Mounting the image is step one, and relatively easy. Â Creating a working copy of it to a new HDD with the unknown file system is the step that I'm having difficulty with. Â
Well. I believe you are missing that partitioning styles and filesystems are irrelevant. in the context of .e01 or RAW images.
The .e01 image has been made from a source device.
An .e01 is a (compressed) image of a "physicaldrive", i.e. a "whole device", from its first sector/block to its last sector/block.
A RAW (or dd-like) image (converted from a .e01) is a (non-compressed) image of a "physicaldrive", i.e. a "whole device", from its first sector/block to its last sector/block.
If you apply (through a suitable tool/process) to a (suitable) target device either of:
1) a .e01 image
2) a RAW image
what you obtain is a "clone" of the source.
If you prefer (and this is almost the whole point of forensics imaging) if you make an image of a "whole device" you can anytime make a "whole device" out of the image, no matter the contents of the image.
dd (or similar tools) reads what is on device and saves it in the image file, then dd (or similar tools) can read what in is in the image and save it on (new, other) device without interpreting the contents.
So, the net effect of:
1) taking a .e01 image off a device
2) converting the .e01 to RAW
3) dd-ing the RAW image to a new device
OR
1) taking a .e01 image off a device
2) mounting the .e01 to a virtual device
3) dd-ing the virtual device to a new device
is the same and exactly the same as dd-ing directly the original device to the new device, i.e. a "clone", or an exact copy, sector by sector, byte by byte.
So, if the original had an "unknown filesystem", also the copy will have an "unknown filesystem", but it will be a "special" one, identical to the original "unknown filesystem".
What is the problem?
jaclazÂ
Thanks again! Â The "problem" was that I was too close to the project to be able to step back and look at it precisely as you described. Â Thank you very much for your willingness to walk through it. Â I am grateful. Â
Happy to have been useful to let you see the matter from a distance, as a general rule/experience sometimes it is needed to voice/write down doubts and - even without a "second opinion" - that is enough to change perspective.
jaclaz
If you have access to EnCase, you can load the E01 taken with the TD2 into the application and use the restore feature to write the contents of the evidence file to a new physical device. Â The requirements are: same size in terms of number sectors as the original or greater.
If I recall, and if you have access, the EnCase Imager application can also be used to restore the contents of the E01 to a new disk (same criteria as above - same size in sectors or greater)
Keep well
@hommy0 Â Â This worked well and it was easy with Encase and Encase Imager. Thanks
EnCase/FTK/X-Ways Forensics could restore .image files to a hard drive without fail. Or forensic duplicators with "File-to-drive" function will do.