I need to copy about 6 different XP profiles from 6 different computers. My question is this, it seems that FTK imager can make a copy of a folder however it does NOT use an E01 format it uses some other format called AD1. Is their a way to make just a copy of a users profile in FTK or EnCase that is E01 compliant? My plan is to copy these profiles to my laptop then burn them to a DVD. Thanks, your response is greatly appreciated.
You can't make an E0 image file from a folder, but as you found out, you can make a logical image of a folder with FTK Imager/Encase. FTK can read the AD files easily. Other options if you just want the folder;
-WinRAR/Zip the folder (choose the settings to keep the metadata intact and create a logfile). The archive is sorta like an image and the files can be extracted as much as you need.
-Folder2ISO (http//
-Or copy the native files with any of the copy utilities (Robocopy, Safecopy, Upcopy, etc…) and burn to a DVD.
The logical (AD) format to image folders is actually very useful. Files can be exported from the AD file, you can create a AD file of a folder and choose the file types you want (such as *.doc *.xls, etc…), create a file listing with hash values, etc…
I guess if you really want an image of a folder, you could put a forensic copy (intact metadata, by the same file path, etc…) of the folders onto a flashdrive, then image the flashdrive to E0 format and copy the E0 file to a DVD….just make sure the flashdrive was securely wiped, or your E0 image will probably include some past deleted files from the flashdrive…
Great suggestions.
Regarding the flash drive idea, it's important to be aware of FAT32 limitations of Access date only (no time), and a 2 second resolution for times. If you already have the metadata captured somewhere else (e.g., FTK Imager dir listing) and you just need a copy of the files, a FAT32 formatted flash drive may work for you. If not, don't use FAT32.
/scott
The idea of copying the the user profiles to a flash drive then using my write blocker & image that to my desktop as an E01 is a great idea. Most of these profiles are only 100+ MB. BUT will the time stamps all change if I copy that profile to a freshly cleaned flash drive?
Yes, the metadata of (the destination) files copied from NTFS to FAT32 will permanently lose precision. Therefore, if you want to use a Flash drive, be sure its format is NTFS.
/scott
Yes, the metadata of (the destination) files copied from NTFS to FAT32 will permanently lose precision. Therefore, if you want to use a Flash drive, be sure its format is NTFS.
/scott
Awesome, Thank you Scott. Yea, I think this is the path I'll take!
If this is for a legal matter, remember to note the steps you took to describe how a folder from a computer hard drive was imaged from a flashdrive (otherwise, some may wonder how in world did you create a E0 image from a logical folder….) wink
If this is for a legal matter, remember to note the steps you took to describe how a folder from a computer hard drive was imaged from a flashdrive (otherwise, some may wonder how in world did you create a E0 image from a logical folder….) wink
Yes sir good advice! as my instructor always told me you can never over document a case…lol.
Another handy tool is Robocopy which comes part of Windows Server Resource Toolkit. There is also a GUI version available here
http//
Robocopy can copy files while maintaining all of their metadata (MAC times, Permissions etc.) and also doesn't have a problem with long file paths.
The caveat about the FAT32 filesystem and it's restricted metadata as mentioned by Scott still applies of course.
Thank you for the responses I ended up using a piece of software called Rich Copy 4.0 that worked like a charm for copying the profiles & all relevant data.