I have imaged a 1TB hard drive using EnCase. The file structure can be seen, files, folders, sizes, times and dates etc, however whenever I click on a file using EnCase all it sees are zeros. Can anyone advise is this some sort of encryption, or has the drive been wiped? I'm confused as I the folder structure is all there, the file system is NTFS and it has verified in EnCase.
I've tried to research this before posting without success.
Was this HDD part of a raid array?
It was seized from a counter top, not connected to any machines. It may have been part of an array at some point, but would I see a folder structure if it was a RAID disk?
The reason I mention this, I've come across a similar situation before.
I had three images from a RAID 1 and was provided with the incorrect strip size and sector offset.
On inputting the incorrect setting into EnCase, I could only the folder structure and some files but not everything.
Have you tried to identify files from the MFT and try to identify the starting sector in disk view?
This should give an indication if the files existed.
RAID-1 does not have stripe size - this is RAID-0
I would start - as Dill suggests by looking at MFT entries. If you cannot find the MFT then just search the raw image for the name - normally as unicode and examine the records within the MFT. Work out the start sector if that information is still in the MFT and see if the file exists there.
More likely a virus than encryption.
Knowing nothing about your disk it could be an attempt to hide files. In this case do some data carving and see if files exist where MFTs may point to them
ha!
Dam RAID arrays, always get mixed them up!
Its very unlikley to be a RAID or striping issue as you'd see a mass of problems when encase attempts to mount the MFT (big chunks would be missing/corrupt)
Is the host drive still present? I've seen Encase quite happily miss out on a perfectly valid reason to crash out and carry on presenting the file system structure but return null bytes when the file data is read.
If the host drive is still there then I'd become very worried about the state of the image.
Check the logs to see if how many bad sectors there were when the drive was imaged and of course verify the size of the image against the physical drive.
Thanks for the advice. The MFT is present and appears intact. I'm finished for the day now and will have further look in the morning.
It sounds like you may just have a bad image with a good MBR reading. Have you tried looking at the contents of the original hdd through a write-blocker?
I think I meant good MFT reading.