I downloaded a file which was supposed to be a "raw" drive image. However, after I downloaded and unzipped on my Harddrive (XP) I ended up with four files labelled
freespace.000-003
This is what I see when I view file w/Qview 😯
http//
I have been told that these were supposed to be "raw" files suitable for FTK exam, does anyone have any ideawhat the heck is happening here? and how I can fix this
Thanks,
Mike
Have you added the .000 file as your evidence?
Maybe I missed something but it seems to be a pretty "normal" split raw image file.
Lots of imaging software, when asked to make a raw copy of a disk, split the image in chunks that can fit on CDs/DVDs
The size of each chunks is just right to fit on 650 MB CDs …
You should have no problems loading the files into FTK …
As ddow mentioned above start adding the "image of the drive" as evidence that you got. Start with the "000"
Chuck is right - once you add the .000 image into FTK, the other files will load automatically in numerical order as long as you have them in the same directory.
Thanks ALL you guys for the help! D I expected a raw file to have a .raw extension, so the "freespace" stuff threw me off.
Two lasts questions. Is there any reason my computer would freeze when trying to unzip the file containing these images. I noticed that it opens two of them into a separate folder, then freezes. Perhaps the zip file is corrupted? Or I need to try another decompression software?
Also, if FTK Imager does not automatically grab the other files after I start with the .000 file, is it OK to add them one by one?
Mike
Freespace was the name of the image. Could have been "Bobs computer" just as easily.
The system shouldn't freeze. I can think of two possible causes lack of space (you'd need about 3-4 gig of free space) or a corrupted zip file.
Imager won't have anything to do with the files unless you're converting them to Smart or Encase Format.
FTK will grab the other files. I doubt you can add the others, I've never tried.
HTH.
Dennis
ddow - what do you think of vmware instead of the Cygwin stuff for Unix shelling?
Also, does anyone know if after I unzip the raw image file do I need to have FTK mount the image on a hard drive partition, a dedicated HD, or can I just pop the image into a folder on the same drive I am running FTK on and then begin examining?
Thanks Again!
Mike
Greetings,
Where did these images come from?
There are "anti-forensics" zip files out there that will cause forensics (and other) applications to hang while processing them. I don't recall all the details, but it has to do with long file names and/or deeply nested directories. Probably not the cause here, but….
Knowing where these images came from could help a lot.
-David
Mike,
After you create the case, all you have to do is add the .000 as evidence.
Using VMware for shelling is like using a drill to cut wood. Drills are great tools, but just not for cutting wood. IMHO.