I imaged a server jump box using dc3dd from a bootable SIFT flash drive. The box was part of a RAID 1 configuration, so it was mirrored but not striped. Loaded the raw image into EnCase.
This is where things get interesting.
The file structure is intact, all of the file names, MAC times, locations, etc. are intact. There are many user folders, such as Application Data, My Documents, and Local Settings, that show as symbolic links elsewhere. When I navigate to these locations, the files appear to be there. However, every single file shows its contents as being all zeros. This includes the registry hives.
Has anyone ever encountered this, or heard about something similar happening?
I imaged a server jump box using dc3dd from a bootable SIFT flash drive. The box was part of a RAID 1 configuration, so it was mirrored but not striped. Loaded the raw image into EnCase.
This is where things get interesting.
The file structure is intact, all of the file names, MAC times, locations, etc. are intact. There are many user folders, such as Application Data, My Documents, and Local Settings, that show as symbolic links elsewhere. When I navigate to these locations, the files appear to be there. However, every single file shows its contents as being all zeros. This includes MFTs and registry hives.
Has anyone ever encountered this, or heard about something similar happening?
I am not sure to understand. (actually I am sure I don't understand ? )
If they are symbolic links AND they are "elsewhere" they evidently are not there roll, and the software you are using *somehow* "renders" these files as 00's.
If the MFT is all zeroes, HOW/WHERE are you reading the filesystem structure that you say is intact?
Is something *like* this?
http//
jaclaz
I'm sorry, I misspoke (or mistyped, I should say). The MFT is not zeroed, however the registry files are. If I follow the symbolic links to their location, the files are there according to the file structure shown by EnCase. However, when viewing the hex of the files they appear as zeros.
I imaged a server jump box using dc3dd from a bootable SIFT flash drive. The box was part of a RAID 1 configuration, so it was mirrored but not striped. Loaded the raw image into EnCase.
RAID 1 … even so, it wasn't a hardware RAID, was it? EnCase … version? Did you hash the image after acquiry … is there anything for EnCase to verify?
You didn't retain the system logs from SIFT? If something went wrong during acquiry, that's where the info most probably would be.
The file structure is intact, all of the file names, MAC times, locations, etc. are intact. There are many user folders, such as Application Data, My Documents, and Local Settings, …
How do you know? Have you checked all of it, or only some parts? Would you have detected if every fiftieth file/directory was missing?
What disk sizes are we talking about? Source drive as well as image drive? What was your acquiry command line, and did dc3dd report anything when it was finished?
When I navigate to these locations, the files appear to be there. However, every single file shows its contents as being all zeros. This includes the registry hives.
Has anyone ever encountered this, or heard about something similar happening?
Navigate how? In EnCase? Have you tried mounting the drive read-only … with FTK Imager? In particular, have you tried runnig chkdsk on it to verify that you are looking at a sound file system? (If not, do so … you can run chkdsk 'read-only'.)
If it is EnCase that gives you the weird results, use FTK Imager (or whatever else you use) to cross-check.
EnCase is known to do weird things in certain situations.
I remember at least one similar thread in the EnCase support forum, but it never seemed to have come to a conclusion. A faulty drive was the main suspect, and probably a drive that failed sometimes during acuiry. In that case, MFT was present (so all 'resident files' were OK). Are *all* your files empty, or only those larger than ~500-700byte or so?
Have you checked by hand that the sectors pointed to by the MFT are correct, and that the actual sectors are blank?
Try scanning the raw disk to which sectors have data, and which are blank. Dos this tie up with your Encase / FTK investigations?
It could be the case that EnCase is able to read the filesystem and then, for whatever reason, encounters some kind of I/O failure reading data off the drive that causes it to, let's say, "lose the connection" to the drive. That is, it could be that EnCase is in a bad state.
What you are describing is how EnCase behaves when it loses the TCP/IP connection to a previewed device in the Enterprise version. It's not inconceivable it could exhibit the same behavior when it encounters a problem with the drive.
Perhaps re-preview it? And try another tool?
Good luck,
Jon
I recently had a case in which the same thing happened. I could see a file structure in EnCase but could not look at the files themselves.
In the end I re-imaged everything and it worked, so can only assume it was some type of imaging problem.