Encase carving - filling up disk space and not completing
I started a file carving process in Encase a three days ago on the unallocated clusters for an 80GB laptop image, and it's still running. I also selected to export the results, and chose 20 file types for this process. The results were writing to a 2TB drive which has now completely filled with unallocated clusters_FO files.
I was wondering whether anybody has any experience in this, as I'm surprised that it's taking so long, and that it has completely written so much data onto the drive.
Encase is a forensic software that is commonly used for file carving, which is the process of extracting files from unallocated space on a disk. It is not uncommon for file carving to take a long time, especially when working with large disk images and when exporting the results to a separate drive.
It's possible that the file carving process is not completing because of an issue with the disk image or the export drive. For example, the disk image may be corrupted or the export drive may be full.
Additionally, the number of file types you've selected to export could be causing the process to take longer and fill up more space. Try reducing the number of file types to a smaller selection and see if that speeds up the process.
It's also worth checking the free space on the export drive and make sure it's not full, if that's the case then try to move the exported files to another drive with enough free space.
I recommend consulting Encase's documentation or reaching out to their support team for further assistance.
.. The results were writing to a 2TB drive which has now completely filled with unallocated clusters_FO files.
Two immediate thoughts I would check:
Have you looked at some of these FO files, what do they look like? If you move, copy, carve a gazillion tiny files from a small blocksize (512 bytes) source device to a large blocksize (4K bytes) destination device then the large blocksize destination can be overwhelmed by the nominally much smaller source. In this example, every file would take up 8 times as much storage.
Are you trying to carve and unpack a Zip Bomb?