I've just had to image a spanned raid of over 2TB which had the entire MFT corrupted, and I need to recover all of the contents. The disks were almost entirely full. X-Ways won't deal with spanned disks of over 2TB, FTK won't recover the folders and EnCase eventually recovered the folders fine but is telling me that it will take over 100 years(!!!!!) to copy the folder structure and files back.
Now, seeing that I can't really wait 100 years to get the information I need, does anyone know of any tools out there that will do this job a lot quicker?
Joe Thomas
does anyone know of any tools out there that will do this job a lot quicker?
Joe Thomas
If you use the EnCase virtual disk emulator you will be able to mount the disk with the recovered folders present in thee mount D
You can copy them out or search through their contents any way you please then
Hope this helps
Steve
Will that keep the folder structure?
Yes, the virtual disk emulator (mount as network share) keeps everything thats shows in encase
Physical disk just shows things from the original E01's S
Hope I've got that the right way round, I'm 100% sure one of them keeps recovered folders and mounted files 95% sure its the Virtual disk emulator D
Ah, yes i've just tested it on a spare machine and that appears to work… I will need to reboot my system though which means waiting 9 hours for the case to load!
Thanks
Joe Thomas
Beware of the problems with mounting as a network share in EnCase. It has been reported that the first 4GB are copy over and over so you only ever see the information from the fist 4GB.
Glad I could help, I only recently picked that up on an EnCase course myself its a very useful function
Will have to be buying that module myself I think. If you are having problems mounting it though ensure ll your certs and extra modules are up-to-date or you might end up spending the 9 hours opening the case for nothing lol
Beware of the problems with mounting as a network share in EnCase. It has been reported that the first 4GB are copy over and over so you only ever see the information from the fist 4GB.
More info here www/
Just checked this in the latest 64 bit version of EnCase and it seems OK - not sure when it was fixed although I know it took well over a year.
This bug has been fixed.
And lest people assume the wrong idea - the problem was with single files >= 4gigs, not just 4gigs of data in general.