Just checked again, it adds the session but within the session is nothing.
The unallocated clusters add up to the space that the movie would take up.
The image I have just done, when added to Encase as a raw image, didnt show the movies, just the device, the session and unallocated clusters.
Whereas, the same image added to FTK 1.7, shows the movies. And with the FTK adding process, I didnt have to worry about parameters, etc. it just did it.
OK, so I created another image of the same CD-R with the trial version of ISO Buster, and again FTK was able to present it with the movie in place.
Tried the same with Encase, same as before, device, session but no movie.
When adding a raw device, would I be right in thinking its a RAW CD-ROM and adding the ISO/BIN, that should pretty much do it, shouldnt it?
This is what I have been doing, amongst other settings trying to get it to work!
I just recently saw a presentation about this by Dave Crowley, the president and head programmer from Infinadyne (CD/DVD Inspector).
In short, stop using Encase for CD/DVDs, it won't see the open sessions.
Someone specifically asked him "What do I need your program (Inspector), why can't I just load the disc into Encase and do forensics from there" to which Mr Crowley went into a long explanation about what Inspector does that Encase is not programmed to do.
Mr Crowley is the recognized expert on all things disc related.
He suggests that people use Inspector to extract all the files from discs, then load the extraction into "Insert forensic tool of choice here".
You might try to get a Demo of Inspector from their website?
Regards
\M
No, I have no financial interest in Infinadyne.
I was under the impression ISO Buster was the best to see 'open sessions' on CD/DVD's. Sounds like the CD Inspector is also 'the best' to use. Why not use ISO Buster OR CD Inspector to create your image then load the image files to FTK - download the free demo version for use. Just have to add BOTH the .iso file AND the .cue file to see all images…don't forget the .cue file that is created..you won't see all images if you don't add that to the case evidence.
Funny you should say that but in encase v6.18, if you add the cue file it crashes.
Couldn't believe it so did it again and sure enough, it bugs out, start again.
This is one occasion where FTK, even an old version, shows the latest version of Encase up.
Anyway, politics aside, I have emailed the good folk at CD/DVD INSPECTOR for a demo, see what it's all about, although ISO Buster is mighty impressive.
I heard back from them 5 business days after my initial voicemail message AND email. The lady on the phone said ya, about the quote you asked for, which model did you want. In my message and email I asked for a quote on all of the robotic loaders (I believe there are 4) and we said thanks, but we already bought one. She said oh really, which one. Not sure why she'd try to get that information, but I've been thoroughly unimpressed with their sales, CS, etc.
Funny you should say that but in encase v6.18, if you add the cue file it crashes.
Couldn't believe it so did it again and sure enough, it bugs out, start again.
This is one occasion where FTK, even an old version, shows the latest version of Encase up.
Anyway, politics aside, I have emailed the good folk at CD/DVD INSPECTOR for a demo, see what it's all about, although ISO Buster is mighty impressive.
I feel your pain on their sales force. I've had the same issue when I contacted sales. Gert still hasn;t responded to my email.
They are a real small Mom and pop shop - really. The president is also the head programmer and training instructor. I met him and his wife (running the booth) at HTCIA conf.
I will say the the Inspector tool is the only thing we use for extracting data from discs.
I sent an email last night and got a response the early hours of this morning along with a download link for the eval software.
Obviously, I cant complain!
I have now tried the ISO and BIN format of the image, created in FTK and ISO Buster (did it twice).
Only question I have is that the pre-sector and post sector bytes setting in Encase, when you click Add Raw Image, changes from 24 to 16 bytes and 280 to 288 when the image is added as a Raw CD-ROM.
But I noticed in FTK, while looking at the live CD for clues, that the data is present from 32.
I am guessing Encase is extracting a setting from the image.
Is the Encase setting to be trusted?