Hi,
I've recently attempted to acquire a Logical Evidence acquisition of 900,000+ files on an external hard drive. I am using EnCase Imager 7.10.00.103 64-bit, and dropping the evidence into Lx01 files. My forensic workstation is running Windows 7 x64 Ultimate.
When getting ready to acquire the selected files, Imager indicated I was capturing 830ish gig of data. I did not use any compression.
When I've returned in the morning, it appears to have completed, however I only have approx 700GB of Lx01 files. I compared the number of files captured to the original dataset and they match at approx 900,000+ files (according to the Dickson box). I have also imported the evidence files into EnCase Examiner 7, which still show the correct number of files, and when I go to export the data (Copy Folders) it says I will be exporting 830GB of data. I'm concerned about the fact that I'm supposed to have captured 830GB of data (with no compression) but I only have 700GB of Lx01 files. I still have the original evidence, so I'm happy to run the capture again, but would like to bottom this out.
Anyone had experience with this?
Cheers
Just as an update to everyone, I spoke to Guidance Software about this, and they advised that files added to a logical evidence file are transparently de-duped, which was likely to be the reason for my 100GB+ of missing data.
I have tested this and found that I have 700GB of unique files, which solves the mystery.
Thanks