Have you tried the restore option in EnCase? dumb question I know but just checking…
What about mounting the image and then reacquiring an image of the mounted image?
Wont that only get active files?
What about mounting the image and then reacquiring an image of the mounted image?
5 different machines all hang on that one file.
Not entirely sure if we're talking image file here (one of the .e01 files) or one of the 200 files inside that image.
I'm assuming the latter.
Mount the image safely, and apply whatever file system checking tools you can. For example, if it's all Windows-readable file systems, use FTK Imager to mount the volumes, and then 'chkdsk' them. (I'd probably also want to use some non-Microsoft product, say fsck, just to avoid blind spots.) That should get you a good idea if the file system is good enough to allow a copy, or if there are bad spots where you need to be careful.
The kind of error you report – one single object times out – is, in my experience, usually an indication that metadata has been damaged. I've seen a smallish hard drive (say 80 Gb) apparently contain a file, with a file size close to the maximum the file system could accomodate in theory. Hand that kind of file to a simple-minded copy program … Loops in FAT cluster chains can also produce similar symtoms. As can directory loops – imagine the situation …\DIR1\DIR2, where DIR2 refers to DIR1 (which usually is forbidden). A tree-traversing copy program will go round and round for ever.
No. The EnCase Physical Disk Emulator module will mount unallocated space too. I'm pretty sure that the mount utility in FTK Imager does also.
Wont that only get active files?
What about mounting the image and then reacquiring an image of the mounted image?
Thought about a hard drive clone, using one of those stand alone hardware convertors?
Thanks for the replies
Athulin. The 200 files I'm speaking of are .e01 files like if you would image a 100gb hard drive and broke it up into 2gb chunks you'd end up with 50 .e01 files. That's what I'm referring to when it hangs on a file. It would hang in 26.e01 and get to 99% on 26.e01
Thanks Mike, I don't have PDE I do have a Paraben mounted as well as FTK imager
I've appreciated the replies.
Hope that I've cleared the water in that a 2gb chunk of the entire group of 50 .e01s is what is causing the issue
If you can open the file in Encase, you can simply reacquire it to a new drive. That is also how you make a compressed image from a uncompressed image.
What Encase should do if one of the files inside the image is corrupted is tell you and then zero out the offending sectors.
I've done that before when drives get back to the office for space saving and backup, but for some reason it's not zeroing out anything, it's just either giving an error that it can't continue, or it gives the 198 Days 12 hours type of a countdown.
If you can open the file in Encase, you can simply reacquire it to a new drive. That is also how you make a compressed image from a uncompressed image.
What Encase should do if one of the files inside the image is corrupted is tell you and then zero out the offending sectors.
if you can mount it as a readable drive, you can try to DD it out, with the switch set to ignore errors.