Problems with compr...
 
Notifications
Clear all

Problems with compressed E01 images created with FTK 2.5.3

4 Posts
3 Users
0 Likes
1,790 Views
(@wilber999)
Posts: 30
Eminent Member
Topic starter
 

I am attempting to use some E01 images that I acquired a couple weeks ago and am having an issue. Using FTK Imager 2.5.3, I imaged 4 drives in E01 format compressed and one uncompressed to large drives. I am now trying to load the images into FTK and am having issues with 4 of them that are compressed and they will not load. When I try to load in FTK I get an error about it not being a valid evidence drive. When I try to load in FTK IMager, I get the following error

filename.e01 does not contain valid evidence.
Details Image file size is not a multiple of block size.

Both Encase and Mount Image Pro also have issues with the compressed E01 images.

I had a very small window to image the drives and do not have the opportunity to re-image.

Any info is greatly appreciated

 
Posted : 03/12/2007 4:46 am
(@lpcforensic)
Posts: 8
Active Member
 

HI Wilber,

if you have the same issue with Encase, FTK, MountIMAGE…. the only thing that you can do is re-acquire the images.
Maybe the 4 Images are corrupted.

Or, the new version 2.5.3 had problem (i hope no…).

Try this (if you can) acquire with FTK 2.5.1 and then with 2.5.3 and test if FTK and Encase Work with the two type of acquisition.

If yes, your first acquire was corrupted.

If only the 2.5.3 don't work….. FEAR!!!!!

 
Posted : 03/12/2007 8:04 pm
JRuiz
(@jruiz)
Posts: 4
New Member
 

HI Wilber,

Did you verify the images at the time of acquisition? What type of device are the images on(external drive, Bytecc, Etc) and how is it connected (usb, firewire, Etc.)

John Ruiz
BlackStorm CSF
www.BlackStormcsf.com

 
Posted : 03/12/2007 8:22 pm
(@wilber999)
Posts: 30
Eminent Member
Topic starter
 

I do not have the opportunity to re-aquire the images. It was an "unfriendly" acquisition and I only had 24 hours. When I arrived, I found that there were 6 more hard drives than expected. I used the previous version of the DiscJockey forensic toolkit write blocker attached via Firewire to a machine that sent the images via USB 2 to a hard drive that was attached. Since I had limited time, I had to make the poor decision not to verify. What is confuding me is only the images that were encrypted are giving me a problem.

 
Posted : 03/12/2007 8:40 pm
Share: