Hi
Does anyone know how to clone/restore a drive from an image?
I have an encase image of a drive encrypted with safeboot. I have the tech to decrypt the drive but as it is in an image format it is no good until i open the image in encase and then clone the contents to a drive so that when it is plugged into the safe boot machine it recognises it as its "original drive" even though the real original is kept safe.
How do I go about doing this? does anyone have any idea?
This is in Encase 7
Thank You
C
There is a way to do this in EnCase 6. I wouldn't have a clue how to do this in EnCase 7.
My own preferred methodology would be to use ewfexport which is part of the
If your image was acquired using EnCase 7 and is in the new format then you are stuck with using EnCase 7 as this format isn't supported by libewf (or EnCase 6).
Paul
In EnCase7 you have to get the image loaded up in the Evidence tab, then highlight the device, go to the 'Devices' drop down and select 'Restore' - the rest of the options should be self explanatory from there.
Hope this helps
@binarybod - I have done this as an E01 Image so i could use EnCase 6 i guess.
@JonN - I will follow your instructions and check back shortly.
Thank you both for your help, I will let you know how i get on. Much appreciated.
C
Hi Richard
Do you have Encase Decryption Suite for v6? It can deal with Safeboot and decrypt the image if you have access to certain files from the Safeboot server. There are instructions on the Guidance Support portal.
Apologies - I know it's not related to the original question.
Hi,
The encase restore worked a treat, though it took 22hours… which quite frankly is utterly insane. Lucky it was a friday so i left it over the weekend!! It looks like this is one way to solve this problem.
Dan, I do know that EnCase can handle safe boot but I have yet to fully try it. Once I have the keys "downloaded" to the SGN machine does encase just see them? As far as I am aware I would have to point EnCase to where these keys are downloaded to so that it could crack the encryption.
Is it not better to image the drive before hand? Also, if i do use this on original evidence, strip away the encryption and then image, if i plugged this into a difference machine would it then stay unencrypted (e.g. a machine with just encase on it and no safe boot software)
also, wouldn't it mess with original evidence? (or does it work behind a write blocker?) as you can see, this is new to me. )
Thanks
C