Hello, i need help to proceed with a new case.
i acquired an image from a macbook.
i used guimager so, from usb live.
i have .e01 files.
now i think,and here i need your help, that i can
mount the e01 files using ftk imager
open a new case using osforensics and analizing in this case the physical disk i get from ftk and not the f or g disk,but the full physycal disk.
this is how i usually do when i have images from pc.but i'm not sure that in this way i can see all the files of a mac image.
why on osforensics website i see they suggest to use paragon?
thank you
why on osforensics website i see they suggest to use paragon?
thank you
Because paragon
so it should be better to install paragon
do you have a link to a tutorial step by step?
i mean, do i still have to use ftk?before or after mounting paragon?
After you install and reboot, you just mount the image with FTK and go ahead with OSF. Paragon HFS+ is just a driver .. But I think FTK imager supports HFS so try mounting your image first and see if OSF sees it before getting the Paragon driver
ok i try.
i suppose this are the steps
install paragon
reboot
open ftk and mount the e01 file
find the new physical drive
start osf
i did it at the begininng.ftk sees th3 e01, osf helps me recover deleted files.i have not yet tried to start indexing,i know it will takes severla hours.
i wanted to know before indexing if i needed further steps(paragon for example)to get a well done job.or if i just proceed as in case of a windows image e01
my warry is that i don't see all the files i usually see in a windows image
i did it at the begininng.ftk sees th3 e01, osf helps me recover deleted files.i have not yet tried to start indexing,i know it will takes severla hours.
i wanted to know before indexing if i needed further steps(paragon for example)to get a well done job.or if i just proceed as in case of a windows image e01
my warry is that i don't see all the files i usually see in a windows image
What FTK sees, Paragon/Windows sees (in the sense that it is just a driver).
Let it work (OSF) .. )
ok, thank you very much
have a nice we
i succeded with one of the 2 mac os images i extracted.
with the other one,same procedure from the beginning, i have after few seconds an error message error during pre-scan
error scanning unallocated clusters
error failed to get volume information.cannot use unallocated clusters informations
.i tried ftk forensic tools of a friend of mine and the indexing goes well,but i have osf and i need to do it with osf…
and the unallocated clusters are the biggest part of the disk…
From Passmark's website
(http//
Disk indexing and searching of "Mac/Linux file systems" All file types except unallocated sectors