Can anyone please tell me why the Encase file finder often finds the same image multiple times when looking for images in unallocated space using the file finder?
I think it is because multiple MFT entries reference the same cluster? This happens because the original MFT record is out of use and a new MFT record with the image files references it and this happens multiple times?
And also has anyone got any tips for viewing these images that are carved out of encase without exporting them? The encase image gallery viewer seems to crash due to the shear amount of image files recovered and also because I think some of the files are not true image files due to the footers not being present?
Thanks
The file finder script comments are
" This module will search a given case / machine for files which match
selected header/footer. This module has the option to
export the matching files to a local drive."
There is no mention of the MFT records being used. Are you sure the files share the same physical sectors? EnCase has problems with the gallery view and this is a common complaint.
There are several reasons why Encase or any other carving tool is going to find multiples of the same image in unallocated clusters. It does not use the MFT for this process, but uses a header / footer compbination for the carving. Like any file recovery program that is working on unallocated space, it will work best when it encounters contiguous clusters containing the image. So large images a lot of times will contain a lot of garbage.
If you are getting very large images that cannot be displayed, chances are that Encase can't find a footer and keeps looking until it finds a hex string it "thinks" is a footer. Then it simply says, "Ok I got a picture." and moves on even though the picture is completely corrupt.
The reason for the multiples is because of disk caching. Every time a file is opened, it has a chance to be cached to the disk, creating a duplicate in unallocated.
What version of Encase are you using? What is your machine configuration? I have not had Encase crash on gallery view in a long time even with over 100K images.
The other thing you can do with Encase is to set the amount of time it allows for attempting to show a "bad" image. I think the default is 12 seconds. I set mine lower than that since if it can't show the image in the first few seconds, the probability is very low it will be able to show it at all.