Greetings, can anyone offer any suggestions in reference to image files that I recently created using Encase Linen v 6.1?
I booted a 1.8TB Dell 2850 SCSI Raid-5 Rack Server using Helix v 1.9, and then imaged the /sda and /sdb partitions to separate 2TB storage arrays.
The process appeared to complete successfully, creating what appear to be valid .E0x files, however both FTK and Encase now report that the resulting .E01 files are not a valid evidence files. (
I'll probably re-image using another method, but wondered if anyone has any advice in this matter?
Just a shot in the dark, but are you opening the .exx files locally or from a network share? If you are opening them from a network share then it may be worth copying them to your locally attached drives and opening them from there.
HTH
)
Just a shot in the dark, but are you opening the .exx files locally or from a network share? )
The files reside on a local external usb drive array. Everything appears to be intact, but I can only assume that they are corrupt for one reason or another.
Here's a thought. The drive was formatted NTFS under XP. I then connected them to the server running Helix, and mounted it writeable using the NTFS-3G driver. Any thoughts on wheter or not that could be my problem?
I have had issues with E01 images in the past when they were compressed with the highest setting. Is this the case here?
I have had issues with E01 images in the past when they were compressed with the highest setting. Is this the case here?
Yes, I did have Linen compress. I never even thought of that, thanks very much. Perhaps I'll try it again without compression. oops
Hi, I 've found using dd to stream the data across easier to work with and get both FTK and Encase to see the data. If you are having problems it might be worth a shot