http//
This is the setup for the array, a mix of RAID 5 and RAID 1. Just out of curiosity (as I know its not required in this instance) any thoughts on how you could take full physical images from the discs and then re-build it in software ?
The wiki also has the proprietary IP address of the unit and some other tips that may be of use.
Thankfully, not this time, but it did get me thinking on how best one would go about a full physical aquisition. It's a challenge to say the least
We had to do a data recovery job on one of these - It was being used for storing photographs.
It was a pain to examine - the imaging was easy but recovery of the data was another matter - just masses of unreconisable data that EnCase could not read.
We had to do a data recovery job on one of these - It was being used for storing photographs.
It was a pain to examine - the imaging was easy but recovery of the data was another matter - just masses of unreconisable data that EnCase could not read.
Did you find any solution ?
just to update this, I did set up a standalone network and map the three folders that were on tne NAS, then imaged the folders in AD1 format using FTK imager. Client has updated request and needs image in E01 format. Not sure how Encase will handle this as to create a logical evidence file, you need to preview the drive or partition first. Anyone used Encase to image a folder from a NAS on a live network?
Another day full of challenges!
FWIW, I recently had an Encase LEF file that I wanted to use in FTK. The way I approached it was to use a new VMDK virtual disk which was slightly larger than the data, attached this disk to an exisiting xp install in vmware workstation and created the logical volume, closed vmware down, mounted the vmdk as a local disk using vmware-mount, then used copy folders in Encase to copy out all the files to the empty disk. Finally, I just dropped it back into Encase and acquired it as an E01 file.
I am sure that the reverse will hold true and you should be able to extract all from the AD1 file in FTK and then import the vmdk into Encase.
(I know that essentially I'm just using virtual disks instead of physical disks and then re-imaging - just seems an easy and convenient way given the lack of other methods - at least any that I'm aware of)
I concur with mickpen.
Exporting the folders to a sanitized disk and then re-imaging the disk using EnCase would seem to be the most straight-forward approach as long as size and certain meta-data are not an issue. If they do become one, you have your AD1 image to fall back on in any event.
Converting (or perhaps I should say not converting) AD1 directory images to E01 images was discussed briefly in one of the earlier discussions
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=962
I for one would be glad to hear any other ideas on techniques for the conversion of these formats.
Thanks for the feedback.
Seems like options are limited, I supose Encase Enterprise could handle this but I don't have a licence, (pockets are not that deep)
Haven't you considered using R-Studio or F-Response? They are also said to be useful for network acquisition (EnCase Enterprise is not alone anymore! D)