Does anyone know of a free acquisition tool that can be run on a system (dead or live) that can extract JUST unallocated space?
thanks,
Jacob
Yes, FTK Imager
How about blkls?
It's part of the Sleuthkit
http//
Paul
Thanks
Hello,
When looking at FTK Imager I didn't see the option to just image the unallocated space of the drive. The only options were the whole drive, the logical drive, a particular file (which stated that it was not going to get the unallocated spaces etc.).
Pbobby, please let me know where the option is to just image the unallocated space is.
Thanks,
Mount the drive/image in FTK Imager and it will show you the unallocated drive.
To make it clear. To image unallocated space.
After mounting image/drive in FTK Imager, You will see [unallocated space] folder in Evidence Tree window.
Now just right click “Export Files” (and recommended “Export File Hash List” which will compute md5 and sha1)