I took an image of an OS Partition using FTK Imager as an EO1 file. Never really took a logical image before because I always take full physical images (best practice) but I wasn't calling the shots this time. So now I can only see the volume stacks, txf, etc. and not the drive structure. I know I should have taken an ad1 image but I only have EnCase and not a full FTK. So, is there any way to load this or do I need to go back and take another image? Mahalo!
Do you understand the difference between logical and physical images?
Yes of course. I just found it odd that ftk imager would allow you to select logical and then select EO1. I figured this would be the outcome, but I suppose I was just hoping there was some way to mount it. Either way I got the drive back and took the physical image.
Do you understand the difference between logical and physical images?
I think by logical he means a copy to a file, such as his E01, or maybe a DD image. A physical would be a clone to another physical disk drive
The problem this time was that the image was just the partition and not the full disk
I asked because you are referring to E01 (e zero 1) as EO1 (e oh 1), and your concept of logical imaging. E01 images are sector images. E01 is not aware or cares of file system structure.
A logical image of a drive, would create a volume image at most, not the partition. Although in PC world we often use partition and volume interchangeably, they are not the same. As a matter of fact, vendors often intermingle the two separate and different concepts.
Back to FTK Imager - if you image a "logical drive" (note that it is not logical image - it is logical drive) using E01 image you will get the whole partition, including folder and file structure, and the various associated slacks.
FTK Imager will not let you create a logical image in the E01 format. If you select "Contents of a Folder", which is the logical image, it defaults to AD1.
If you have an E01, it is most likely a full partition. You should have full access to the files.
Yes of course. I just found it odd that ftk imager would allow you to select logical and then select EO1. I figured this would be the outcome, but I suppose I was just hoping there was some way to mount it. Either way I got the drive back and took the physical image.