Hi,
I recently imaged one windows 10 machine using paladin Bootable pendrive. The system has a bios password which appears on the screen before booting. I have the password and booted successfully into the paladin interface and imaging done successfully. When i loaded the evidence into encase v8.07, it only shows unallocated partitions and system files. There is no user data present in encase.
I have emulated the whole image into virtual local disks using encase and there appears partitions in the form of local disks. I can see user data inside each disks.I loaded these disks as evidence in encase v8.07 and i can access the user data through encase.
But i don't know it is a forensically right procedure. Is there any other way that i can see the user data in encase without emulating the evidence?
Can you post the screenshot of loaded evidence in encase that shows unallocated partition only. I am wondering if only a partition was added as evidence instead of an entire image.
in fact, the drives you have mounted are "read only" so for me it's the same as working on a suspect drive with writeblocker. There is no problem for me