Hi,
I have an E01 file that has a hidden paration in it created by "NTI Ninja" http//
Many thanks in advance!
E01 is just a file format for lack of a better easy explanation - you are not tied directly to EnCase as a tool for examination. That being said, what do you normally use?
There is a partition finder in EnCase under the EnScripts -> Case processor EnScript - have you run that?
The logical disk configuration is what it is - the normal offsets and start and end points should be consistent with the OS and/or partition tables you expect to be present or that show when you load the image.
So how did you come to the realization that it was a NTI image? Told or discovered? If discovered how so?
Not knowing your budget, but $19.99 is worth little time so can you expense the purchase to set-up an experiment? They offer a free trial as well. What if you took a fresh load of the target OS on a test disk. Imaged and then loaded NTI and did a second image and compare the results?
Just for the record, the actual link is this one
http//
(in the OP the final period beacme part of the url and makes it invalid)
OT oops , I wonder what's in the heads of the marketing team over there
NTI Ninja is an exciting software that maximizes data protection by using a driver level 256 bit AES encryption technology to create private and public partitions on USB storage devices.
😯 exciting? ?
jaclaz
Umm, there isn't actually a question in your post….p
Hey thanks for your help so far, I am learning! When I go to the Case Processor, create a folder then next, I have the "Partition Finder", I'm not sure what to do next. I assume I have to mount it but not not sure how. I just can't seem to find any information on it!
Thanks so much!
If I may - you should not be using a tool like partition finder. Running a script may make a script kiddie but it will teach you nothing about forensics. Start with the partition table and work out what points to what (there are plenty of resources that will help with this).
Only when you uinderstand exactly what a script is doing for you should you use it.
Paul is correct. You should understand the drive layout and what exactly a partition is. The script is fairly useless unless you know what it is you are looking for. Really take the time to understand the sector layout of the drive and how each volume is created by various file systems.
Build a base of understanding ask yourself this
What is a physical drive?
What is a logical drive?
What is the VBR?
What is the MBR?
What is a partition table?
What are primary and extended partitions?
Google and Wiki away at those. Get
That should be like your Physicians Desk Reference for computers.
Start to create a chain of thoughts that can lead you to your answer but you have to feel comfortable with basics or the task you are given will be unsolvable because you wont understand the results. And quite honestly without setting up some experiments and theory tests you will not be very successful because there is no one way to solve your task.
Thanks for your help everyone! I know I want to take the time so I'm not a script kiddy! I was only looking for a quick way for now as this work has to be in Friday and with all the other stuff I have to do was looking for a quick answer (which I know isn't the right way to work).
Thanks douglasbrush I will take a look at that link tomorrow!
Once again thanks!
CLUE 446
If the partition is encrypted as well as hidden (their web site indicates crypto is an option) then you're still no-where once you find the partition. You may consider restoring the image to one of your drives and trying to use the NTI Ninja tool to unhide / unencrypt the partition. If you're really lucky, the crypto key may be on the unencrypted partition. If you're not really lucky, you may be SOOL.
That is of course unless that whole 256AES thing is bollocks, which wouldn't be unheard of with security tools. I once saw a file hiding utility that made all kinds of claims, but was laughably simple to defeat because it didn't actually do half of what it said, or the user hadn't used it right.