Anyone know if there are any limitations for Encase v5 with modern Windows images? I have many extra dongles that we never upgraded and wanted to know if they could still be used by my eDiscovery group for basic tasks such as exporting files from images and creating file listings.
Just use Autopsy 3.10
It's free and works great!
Anyone know if there are any limitations for Encase v5 with modern Windows images? I have many extra dongles that we never upgraded and wanted to know if they could still be used by my eDiscovery group for basic tasks such as exporting files from images and creating file listings.
sounds like ftk imager can do the job
Since no one else will answer your question, I'll give it a stab.
I don't know when EnCase version 5 came out. Nor do I have a copy to test for you.
However, NTFS hasn't really been updated since Windows XP came out in 2001.
Thus, I suspect you should be fine for what you need.
However, NTFS hasn't really been updated since Windows XP came out in 2001.
Yes and no.
A type of Symbolic link (that were already available in the XP NTFS) were never used in practice because the XP filesystem driver was not capable of taking advantage of them (but in Vista filesystem driver the functionality was introduced).
http//
It is possible that an pre-Vista tool (and also a post-Vista one wink ) may miss or misinterpreter these.
With Vista was introduced also Transactional NTFS, now deprecated
http//
(though this won't affect normally a "static" image/snapshot).
jaclaz
Anyone know if there are any limitations for Encase v5 with modern Windows images? I have many extra dongles that we never upgraded and wanted to know if they could still be used by my eDiscovery group for basic tasks such as exporting files from images and creating file listings.
EnCase didn't (and as far as I am aware still doesn't) natively support files in volume shadow copies. If you need to look at these with EnCase you need to mount each shadow as a drive letter and add it as a logical volume - slow, a pita and a real problem if you have more than a handful - the most I am aware of is 111 shadows!
plug- Reconnoitre (I am the author) was designed to support VSCs - happy to provide a fully functional demo if you'd like a copy.
However, NTFS hasn't really been updated since Windows XP came out in 2001.
Depends.
If you take an image of a Windows Server 2012 SP 2 (I think it is) file system which has data deduplication enabled, and applied, EnCase 5 will be able to handle to handle the NTFS file records, but you won't be able to examine the file contents.
(Added You'll just see a lot of reparse points …)
This is a kind of 'on-top-of-NTFS' feature, so strictly speaking NTFS may be unchanged. It still will have an analyst who doesn't know about it rather confused,