Dealing with very l...
 
Notifications
Clear all

Dealing with very large amounts of data  

  RSS
joethomas
(@joethomas)
Member

I've just had to image a spanned raid of over 2TB which had the entire MFT corrupted, and I need to recover all of the contents. The disks were almost entirely full. X-Ways won't deal with spanned disks of over 2TB, FTK won't recover the folders and EnCase eventually recovered the folders fine but is telling me that it will take over 100 years(!!!!!) to copy the folder structure and files back.
Now, seeing that I can't really wait 100 years to get the information I need, does anyone know of any tools out there that will do this job a lot quicker?

Joe Thomas

Quote
Posted : 18/03/2009 4:08 pm
mobileforensicswales
(@mobileforensicswales)
Active Member

does anyone know of any tools out there that will do this job a lot quicker?

Joe Thomas

If you use the EnCase virtual disk emulator you will be able to mount the disk with the recovered folders present in thee mount D

You can copy them out or search through their contents any way you please then

Hope this helps

Steve

ReplyQuote
Posted : 18/03/2009 4:15 pm
joethomas
(@joethomas)
Member

Will that keep the folder structure?

ReplyQuote
Posted : 18/03/2009 4:21 pm
mobileforensicswales
(@mobileforensicswales)
Active Member

Yes, the virtual disk emulator (mount as network share) keeps everything thats shows in encase

Physical disk just shows things from the original E01's S

Hope I've got that the right way round, I'm 100% sure one of them keeps recovered folders and mounted files 95% sure its the Virtual disk emulator D

ReplyQuote
Posted : 18/03/2009 4:25 pm
joethomas
(@joethomas)
Member

Ah, yes i've just tested it on a spare machine and that appears to work… I will need to reboot my system though which means waiting 9 hours for the case to load!

Thanks

Joe Thomas

ReplyQuote
Posted : 18/03/2009 4:28 pm
DFICSI
(@dficsi)
Active Member

Beware of the problems with mounting as a network share in EnCase. It has been reported that the first 4GB are copy over and over so you only ever see the information from the fist 4GB.

ReplyQuote
Posted : 18/03/2009 4:30 pm
mobileforensicswales
(@mobileforensicswales)
Active Member

Glad I could help, I only recently picked that up on an EnCase course myself its a very useful function

Will have to be buying that module myself I think. If you are having problems mounting it though ensure ll your certs and extra modules are up-to-date or you might end up spending the 9 hours opening the case for nothing lol

ReplyQuote
Posted : 18/03/2009 4:31 pm
PaulSanderson
(@paulsanderson)
Senior Member

Beware of the problems with mounting as a network share in EnCase. It has been reported that the first 4GB are copy over and over so you only ever see the information from the fist 4GB.

More info here www/sandersonforensics.com/Files/Encase%20mounted%20wrap%20bug.pdf

Just checked this in the latest 64 bit version of EnCase and it seems OK - not sure when it was fixed although I know it took well over a year.

ReplyQuote
Posted : 18/03/2009 4:57 pm
Ivalen
(@ivalen)
Junior Member

This bug has been fixed.

And lest people assume the wrong idea - the problem was with single files >= 4gigs, not just 4gigs of data in general.

ReplyQuote
Posted : 19/03/2009 3:32 am
Share: