Hi all,
I have a little problem while trying to open a .dd dump
of a Jailbreaked IPhone with EnCase. It does not recognize
the filesystem (HFS+).
I have two separate dumps, one for system partition and one for user partition.
FTK recognizes those dumps well, but i need to do the work with EnCase for office reasons.
Trying to open the dump as a volume specifyng the right filesystem
doesn't work, either.
Neither works the tip found over the internet about searching strings "HFS+" and pointing 2 sectors before and mount from that point… it works only on dumps of entire disks, not with dump of partitions.
Thanks a lot.
How are you adding the dd image to Encase?
Within encase you have to add xour dd-image as "raw-image" from a disk. Inside your folder were your *.dd images are stored you have to mark them from the bottom to the top. Then they were placed in the right order and you can open them.
Siggi wink
Within encase you have to add xour dd-image as "raw-image" from a disk. Inside your folder were your *.dd images are stored you have to mark them from the bottom to the top. Then they were placed in the right order and you can open them.
Siggi wink
I know this, I was asking him how he had done it.
Thanks for your answers,
I have two .dd files.
I've tried adding them as single files (one case - one raw image) and also as both files together (one case - two raw images) swapping order in file list too.
Tried to add with "add raw image" with "none" as file type, with "disk", and with "volume & HFS+ as filesystem".
The result is always the same. No partitions and only "unallocated clusters" on the explore window.
you need to bring the dd image file into a hex editor and change the very first instance of hx to h+. Then EnCase should see the partitions.
Step 1
you need to bring the dd image file into a hex editor and change the very first instance of hx to h+.
Step 2
Then EnCase should see the partitions.
We had a discussion about this some while back and about generally manipulating any working copy. Would you agree that as there will be a slight manipulation of the working copy to make mention of that in your contemporaneous notes?
you need to bring the dd image file into a hex editor and change the very first instance of hx to h+. Then EnCase should see the partitions.
This is going to change the signature in the Volume Header. To locate the volume header search for H+ (or HX) and HFS. Look for them occuring in the same sector. That is the Volume Header.
Step 1
you need to bring the dd image file into a hex editor and change the very first instance of hx to h+.
Step 2
Then EnCase should see the partitions.
We had a discussion about this some while back and about generally manipulating any working copy. Would you agree that as there will be a slight manipulation of the working copy to make mention of that in your contemporaneous notes?
This is a fairly small change but it will of course nuke the hash. I had to testify about something similar once and had kept extensive notes about the modifications. The judge liked the fact that I could show through screen shots that the changes only affected a specific sector and did not touch the relevant evidentiary data.
GREAT!
Changing first occurence of HX (case sensitive) to H+ and adding to encase as HFS+ volume works fine!!
Thank you.