An easy solution to future collections to avoid converting logical images is to create a real image with X-Ways. I suspect other tools will eventually catch on to what X-Ways does, but it's worth taking a look at X-Ways Forensics or just the X-Ways Imager (less expensive than X-Ways Forensics).
Take a look at the chart of Cleansed/Skeleton/Container formats for specs
One of the neat things is "Preserves original offsets and original distances between various data and metadata". X-Ways images the disk with only the files you select, or doesn't image the files you don't want (there is a difference in concept and result with each of these).
Files selected to be imaged are those that you want and nothing else, such as only MS Word docs (Skeleton image).
Files omitted from imaging are those that you don't want, like privileged data (Cleansed image).
I've mostly gone away from containers in ediscovery collections since you can make a real forensic image of responsive files without having to convert a container into another format to work in different tools. If a client or opposing expert wants a container, the X-Ways (cleansed or skeleton) image can be used to create a container using FTK Imager or other container tool.
@bitshavers
With all due respect, those are exceptionally good solutions ) to some cases only (and in the hands of people that really know where their towel is).
With a RAW (or dd-like or "physical") image (which takes time to create, uses a lot of disk space, etc.) you have 100% of the information.
With anything else you are extracting some subset(s) of the original information.
The nice formats by X-Ways are IMHO appropriate, particularly the cleansed format in - as you say - e-discovery to deal with "privileged data" and the "skeleton", still in e-discovery, to maintain only a given format of file.
But they are not IMHO suitable for a "generic", "all round" investigation.
jaclaz
@bitshavers
With all due respect, those are exceptionally good solutions ) to some cases only (and in the hands of people that really know where their towel is).
With a RAW (or dd-like or "physical") image (which takes time to create, uses a lot of disk space, etc.) you have 100% of the information.
With anything else you are extracting some subset(s) of the original information.
The nice formats by X-Ways are IMHO appropriate, particularly the cleansed format in - as you say - e-discovery to deal with "privileged data" and the "skeleton", still in e-discovery, to maintain only a given format of file.
But they are not IMHO suitable for a "generic", "all round" investigation.
jaclaz
Isn't the point that the original poster is already doing targeted collections, and Brett's simply suggesting better ways of doing them, rather than the AD1 method? (I don't believe it's being suggested as a replacement for a full forensic image where appropriate/possible)
Not my place to say which image format is better than another for any given situation; each case is different, objectives vary, and each of us have our own personal preferences. The OP suggested Mount Image Pro, which is an option of mounting the Ad container, but still requires additional steps to access the data with other tools.
FTK Imager is a great imaging/collection tool and decent preview tool. My point is that AD advises that the AD1 file cannot be converted to a sector image format and can only be read by FTK. It is a nice (and free) tool, but it reduces data accessibility and can add quite a bit of time to mount, export, and/or convert into a different format for a non-AD tool to read.
Creating something different out of an AD1 container
-Export the native files into a folder, and
—Recapture the files from that folder using a different tool, such as Encase into a different container format such as an Encase logical container, or
-Mount the AD1 container as a drive letter and recapture the mounted container as above, or
-Export the native files to an external media (wiped prior) and
—Create an image (dd or eo1) of the external media
Or, create an eo1 image on the initial targeted collection with X-Ways.
Fewer steps will reduce the risk of errors and mistakes, along with reducing the number of differently formatted source evidence files.
Isn't the point that the original poster is already doing targeted collections, and Brett's simply suggesting better ways of doing them, rather than the AD1 method? (I don't believe it's being suggested as a replacement for a full forensic image where appropriate/possible)
I don't know what the point is. 😯
The OP, for what I see as "futile reasons" (had a limited amount of time to access a desktop for collection) and a colleague of his (for the same reason) both did something they didn't know enough about and then had issues.
I am pretty sure that Brett (whom I consider among the people who really know where their towel is ) ) is perfectly capable of choosing the "right" acquisition format suitable for the specific targeted acquisition/case and also load, mount, convert, transform. export and import, from and to each and every format, knowing exactly what each format contains or does not contain and which tool to use in each and every situation.
And surely the X-ways formats he pointed out are (like most of the things connected with Winhex/X-ways) are intelligent, well designed and useful where appropriate.
Still, a dd-like image contains 100% of data, and any format containing less than that should be chosen only after being very, very sure that is suitable to the case at hand and that you know how to use it.
My previous post was only a generic warning of the kind
https://
jaclaz
Every reply to the OP's challenge has been spot on, IMHO. From what I read, OP just needs to make data from an AD1 file accessible to Encase. The suggestions all work, but it's a bit like buying a square peg when you needed a round peg, then making the square peg fit in the round hole.
For a FTK shop, FTK Imager containers (AD1 files) of targeted data are awesome. No need to convert anything. But most shops are not solely FTK. For them, AD1 files are not awesome.
Full disk images can't be beat to make sure you get all the data, but this is becoming not-the-norm, especially in many ediscovery cases, and in the OP's case.
Personally, creating dd/e01 images of original source data, including just targeting limited/specific data as skeleton or cleansed images, has given me the least hassle, the most flexibility, and saved more time to make up for any cost of buying imaging software.
It's easy to create a proprietary container format from a forensic image. But, it's impractical (and practically impossible) to create a forensic image out of a proprietary container format.
*ps..has anyone seen my towel? i lose it all the time )
*ps..has anyone seen my towel? i lose it all the time )
Here wink
https://
jaclaz