I use FTK Imager to create my E01 forensic image. I have a 20 gb hard drive that FTK will not index. It keeps crashing on me. Access Data has tried to help me but nothing has worked. So I would like to take my E01 image and restore it to a secondary hard drive (obviously I don't want to use the suspects) to view the hard drive in its natural form. Is there an easy way to do this?
thanks in advance
What forensic software do you have access to ?
If Encase right click the image in the tree pane then select restore.
Do you _need_ to index the entire data object, or can you not index or index only specific targets of interest?
Cheers!
farmerdude
www. onlineforensictraining.com
I have access to Encase V4.2, but have never used it and don't know to open a case in Encase .
If this is evidence, stop right now and get yourself some assistance. If not, here is quick guide.
First, you need to create a case in EnCase before you open or add evidence to it. Hopefully you have a dongle because you won't be able to do a restore without it.
If you don't intend to save the case in EnCase then the rest is simple. EnCase divides the major work areas into four quadrants. The upper left quadrant is called the Tree Pane and should have a single node labeled "Entries". Using Windows Explorer, drag the first E0 file (if there are more than one), e.g., file.EO1, into the Tree Pain. Once EnCase has finished parsing the evidence file contents, you should see the device appearing under the Entries node. You should be able to select that device, right mouse click and get the Restore dialog.
Make sure that you have a drive attached that you can completely overwrite and follow the prompts in the Restore dialog.
If you use the ENCASE tools to convert it to a DD first, you may have better restore options.
D
If you use the ENCASE tools to convert it to a DD first, you may have better restore options.
What? I'm sorry, but how does this help the OP?
Since you have FTK Imager, you can take your E0 image and perform different processes with it.
1) Export your E0 image into a dd format (FTK may like that better than the E0 image for whatever reason, I've had that issue before)
2) Export the entire E0 image onto your secondary hard drive (select the root folder and just export all the files).
You can also;
1) Use Paraben's free image mounting utility (
2) Boot the image into VMware Server (free) using LiveView (free) to create the configuration files after either creating a dd of your E0 image or after mounting the E0 image as a drive letter.
There are many ways to access a forensic image with various applications. You just have to problem solve your way around it.