Hi Guys,
Anyone tried to acquire an ad.1 evidence file as a disk a subsequently acquired it's contents with Encase?
I have tried multiple times and at first look the acquisition is concluded successfully.
However, when opening the acquired ex.o1 evidence file in Encase, there is no data at all.
I have done the following
1. Mounted the ad.1 image file as a disk / local device with several 3rd party applications. In all situations, the image is mounted successfully and the contents can be browsed through file explorer.
2. Subsequenlty successfully acquired the mounted disk with Encase through the "Add local device" option.
3. The acquisition runs smoothly and verification is successfull.
But when opening the evidence file in Encase for further processing the evidence file contains no file system at all, only unallocated clusters.
I know that Encase and ad.1 files are not directly compatible but acquisiton through a mounted disk image (local device) should work right?
The size of the ex.01 evidence file is as expected, no remarkable deviations here.
Anyone tried this before succesfully?
Thanks guys.
Which "several third party tools"? ?
The "AD1" format is sort of a "logical filesystem" image, you cannot convert it to "E01" type (which includes unallocated space, etc.)
You need to either recreate a (at this point "fake") filesystem and copy to it the contents or use a specific tool (that essentially does the same, but automatically), the result can only however be a L01 and never a E01.
See here
https://www.forensicfocus.com/Forums/viewtopic/t=962/
http//
jaclaz
Used FTK and Mount Image Pro and did indeed created a local file system with these tools and subsequently tried to acquire that file system.
I'm fully aware that AD.1 is a logical evidence file that is not directly compatible with either Encase / E01.
Because after acquistion Encase is only showing data as unallocated clusters instead of the file system is the exact reason for my question.
Cheers!
Used FTK and Mount Image Pro and did indeed created a local file system with these tools and subsequently tried to acquire that file system.
Not really-really, this is probably what threw you off.
The *whatever* FTK imager or Mount Image Pro create in order to let you browse the directory structure with Explorer is not a "real" filesystem, rather a sort of "virtual" one.
If you prefer it is nothing but *something* allowing to explore the contents of the .AD1 file as if they were inside a filesystem.
I'm fully aware that AD.1 is a logical evidence file that is not directly compatible with either Encase / E01.
Yep, and as said you can create an empty filesystem, export to it the contents of the .AD1 file and then even create a .E01 of this filesystem (but it would make very little sense, as *any* data not present in the .AD1 would be "fake").
Making a .L01 (or use the given converter) makes more sense as the info present in a .L01 is the same as what is in the original .AD1.
Because after acquistion Encase is only showing data as unallocated clusters instead of the file system is the exact reason for my question.
Yep ) , in theory Encase should throw an error/warning before starting the acquisition as the source device is made (for all Encase or any other software BUT the one you mounted it on can see) of all 00's.
jaclaz
Makes sense, thanks for your feedback, appreciate it.
Have a Forensic Explorer dongle will try the conversion option.
Makes sense, thanks for your feedback, appreciate it.
Have a Forensic Explorer dongle will try the conversion option.
Good ) , keep us posted on how it goes.
jaclaz