Forums
Main Category
General (Technical,...
Error mounting E01 ...
 
Notifications
Clear all

Error mounting E01 image in FTK Imager

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by MissIcey 11 years ago
8 Posts
4 Users
0 Reactions
15 K Views
RSS
 MissIcey
(@missicey)
Active Member
Joined: 11 years ago
Posts: 12
Topic starter 19/10/2014 9:49 pm  

Good Morning,

My name is Jessica and I am a digital forensic & Cyber Sec grad student. I ask this question here because I have exhausted all possibility and wish to keep my hair and laptop intact -)

My current assignment is to rip the registry from a provided image and perform usb forensics. Unfortunately, the image will not mount in FTK Imager. When I attempt to add the image as evidence it states "does not contain valid evidence", when I attempt to mount the image it states "does not contain valid evidence, image detection failed". I tried to use sys tools but am denied access to a 14 day trial, I have also tried autopsy and receive "no stored hash error". I am unsure if this is a critical error, but I also do not see any files in Autopsy. I have googled and cannot find a post that replicates my current situation. I was under the impression FTK Imager could mount E01 files, but it appears I can only use encase?

Any help is appreciated,
Jessica


   
Quote
 shep47
(@shep47)
Trusted Member
Joined: 15 years ago
Posts: 51
19/10/2014 9:59 pm  

Hi Jessica,

FTKi will mount E01's and extracting the files is a simple process. But it sounds like either your E01 or FTKi install is corrupt. I would try addressing both by reacquiring the E01 and reinstalling FTKi and try again.

Good luck


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
19/10/2014 10:07 pm  

I was under the impression FTK Imager could mount E01 files, but it appears I can only use encase?

Any help is appreciated,
Jessica

There are a number of tools that can access/mount .E01 files, some of which are Freeware/Free/Opensource.

Among them IMDISK and Arsenal Image Mounter (through discutils)
http//reboot.pro/topic/19725-mounting-windows-81-disk-from-ewf/
or through a proxy
http//reboot.pro/topic/19940-ewf-proxy-for-imdisk/
and OSforensics OFSmount (I believe "directly")
http//www.osforensics.com/tools/mount-disk-images.html

Some older info
http//windowsir.blogspot.it/2009/11/even-more-linky-goodness.html

It is possible that *somehow* your .e01 file is corrupted, have you a way to checksum it against a "known to be good" copy?

jaclaz


   
ReplyQuote
 MissIcey
(@missicey)
Active Member
Joined: 11 years ago
Posts: 12
Topic starter 19/10/2014 10:14 pm  

Hi Shep,

Thanks for your response. I have ripped the registry for a previous class and agree it is simple. The image was provided by the professor. I have emailed with no response as of yet. I will reinstall FTKi and hope to receive a response from the prof soon.

Thanks much,
Jess

Hi Jessica,

FTKi will mount E01's and extracting the files is a simple process. But it sounds like either your E01 or FTKi install is corrupt. I would try addressing both by reacquiring the E01 and reinstalling FTKi and try again.

Good luck


   
ReplyQuote
 MissIcey
(@missicey)
Active Member
Joined: 11 years ago
Posts: 12
Topic starter 19/10/2014 10:28 pm  

Hi Jaclaz,

Thanks kindly for all of the information. I actually mounted it in OSF Mount but did not see an option to delve into the image or export. I will look at it a second time, as well as the links you have provided. I do not have a copy to checksum against, just the one provided by the professor for the assignment.

Greatly appreciate your help,
Jess

I was under the impression FTK Imager could mount E01 files, but it appears I can only use encase?

Any help is appreciated,
Jessica

There are a number of tools that can access/mount .E01 files, some of which are Freeware/Free/Opensource.

Among them IMDISK and Arsenal Image Mounter (through discutils)
http//reboot.pro/topic/19725-mounting-windows-81-disk-from-ewf/
or through a proxy
http//reboot.pro/topic/19940-ewf-proxy-for-imdisk/
and OSforensics OFSmount (I believe "directly")
http//www.osforensics.com/tools/mount-disk-images.html

Some older info
http//windowsir.blogspot.it/2009/11/even-more-linky-goodness.html

It is possible that *somehow* your .e01 file is corrupted, have you a way to checksum it against a "known to be good" copy?

jaclaz


   
ReplyQuote
 MissIcey
(@missicey)
Active Member
Joined: 11 years ago
Posts: 12
Topic starter 19/10/2014 10:49 pm  

Hi All,

I have received response from the Prof and his MD5/SHA1 are the same as the values I generated. At this point, I will telnet into the school and use their encase. I am just curious as to why this is happening so it bugs me.

Thanks all,
Jess


   
ReplyQuote
 Cults14
(@cults14)
Reputable Member
Joined: 17 years ago
Posts: 367
21/10/2014 9:54 pm  

I had problems earlier this year mounting E01 in FTKI, found that reverting to an earlier version worked OK - think I went back to 2.9x

Don't rememebr that specific error message though


   
ReplyQuote
 MissIcey
(@missicey)
Active Member
Joined: 11 years ago
Posts: 12
Topic starter 21/10/2014 10:40 pm  

Hi Cults,

After much digging, it turned out that the E02 and E03 files did not download appropriately. I deleted all and downloaded from scratch and finally got it to work. Thanks much for your help!

Jess

I had problems earlier this year mounting E01 in FTKI, found that reverting to an earlier version worked OK - think I went back to 2.9x

Don't rememebr that specific error message though


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: