Hi All, been scratching my head over this one.
I have a drive image loaded from archive.
Encase 6.8 displays the image as having a dynamic drive with only one NTFS 3.0 drive partition.
FTK 1.62.1 however displays the same image as having two NTFS drive partitions, each with W2K folder and file structures on them.
Is there anything to watch out for in Encase when dealing with dynamic drives - perhaps if they're raid'd a script to run, or a function I need to invoke to display dynamic drives correctly?
Any help would be appreciated.
Thanks
Update The plot's thickening.
There's obviously a gap in my encase usage knowledge here.
I discovered the 'scan disk configuration' option in encase and after running it found 2 more mirrored partitions.
On these partitions the folder structures display in encase ok and look familiar, but no files show within them in the table pane.
I suspect some further procedure is required here.
Update Tues. 25/8/09.
1. I discovered that I had left my filter conditions on and needed to switch them off which was why the files weren't showing.
2. That all the bookmarks I made before discovering the 'scan disk configuration' function, on the partition visible before mounting the mirrored volumes are now invalid. They now point to 'disk configuration mapped sectors' as the drive/path location. That's about 8 or 900 odd files.
I can't see any way of rescuing these. My encase backup files have been overwritten with later saved versions that don't show them.
Is it possible to 'unmount' the mirrored drives somehow in encase. It doesn't look like it.
Just to round this one up I discovered I also needed to load both hard drives in the same encase session before running the scan disk function.
I tried this and it makes the whole setup seem a lot clearer. Had I known I would have done this in the first place. Unfortunately I was handed the image files on a set of DVDs from the archive that someone else had made a while ago before leaving and given no instructions on what had been done.
Also here in the labs we have a strict policy of examining one hard drive per encase session, so I was doing my best to adhere to that.
I have learnt a lot.
By the way. I've tried to update and conclude this thread as I notice a lot of posts on this forum seem to get left open after appearing to start rather urgently with a request for help.