Hello Everybody,
I m trying to acquire a HFS+ partitioned drive that has been removed from a Apple Mac, Im trying to acquire in a windows environment using encase, the drive does spin up but its not being recognised.
i have done a previous acquisition using tdm in a windows environment with no problem, i was just wondering if this failure to mount is due to a drive error
You didn't post if this was an Intel Mac, and what version of EnCase you were using, but this may help
http//
GGrady im not sure if it is intel based mac i just have the HDD which is a 120 gb SATA drive which im assuming would be from a intel based mac, also im using encase 6
What kind of write blocker are you using?
What do you mean by not recognized? Are you able to see the physical disk in encase? If it's on a blocker, encase may be reporting the blocker as the device and not the drive.
as this is a straight data recovery job and doesn't need to be a forensically sound image i have used fastbloc and a conventional sata to usb connector. the device is not showing up at all on my machine. but it does spin up
Again you have to define "not showing up". If you are trying to acquire an Mac OS File System formatted device on a Windows machine, Windows won't see it (well it will in disk manager). If you load up EnCase/FTK/X-Ways/etc it should at least see the physical device.
Tom
Sorry encase is not seeing the physical device,
Is the blocker showing up in the 'safely eject devices software'? Is windows seeing the blocker? Check under the device manager snap-in and see if it is being recognized. I have seen this behaviour before with HFS+ drives (especially GPT, which I suspect it is) and found just plugging in the USB cable to the computer again usually works.
The drive could be dead. Is it a Momentus 5400.2, Firmware 7.01? If so, it is probably dead.