I don't have access to the source drive any longer and when I reviewed my target drive, it's missing the .E01 file???? During aqusition, I did verify and all was well. Several months have passed and obviously, I now don't have a complete image. Can I force Encase or FTK to load the partial image of the drive and conduct a limtted analysis??? I'm looking for specific files which still may be there. Any help would be appreciated.
It is not possible to load a partial set of .e01 images to either FTK or Encase. Perhaps one of the other image mounting applications (such as Parabens) would allow you to mount them and see a file structure, provided of course that the evidence file containing the MFT is still available. Depending on how I interpret your post, you may be missing the first .e0x file. That will be a problem. This is only speculation, I have not tried it under your unfortunate circumstances.
It would be possible to acquire the drive containing the .e01 files and carve the files out manually. You'll have to deal with a CRC value placed probably (assuming the default acquisition options) every 64 sectors (32k). While this will be difficult it's not impossible. Again, it will be better if you have the first .e0x file as that one will contain the MFT (for the first partition anyway) and would allow you to locate the files by names, and better yet, the extents for any files that are fragmented.
The good thing is that you can verify individual evidence files should you find anything important in one. I think that your results will be much better if the evidence files are not compressed.
Did you check out the destination disk that has the rest of the .e0x files? It stands to reason that if it was deleted then it will still be there for you to recover.
I had a same situation where one of the E01 files that was backed up to DVD was missing. When I restored the case Encase asked if I wanted to fill the void ( missing E01 file ) with 00's and read the rest of the image just fine. In my case the missing data was in unallocated space though.
Having a missing e01 file is a bit of a show stopper as far as reading with a traditional forensic app is concerned.
The e0x evidence file format is pretty trivial though and there is no reason why you should not be able to decompress or de-encase the remaining files. Of course you will be left with a dd image that is missing the first x00MB's.
Anyone in the US who writes tools that work with eox files sould be able to help you. Sending across to us may be a bit expensive though.
Have you tried the earlier suggestion and reviewed unallocated to see if there are any remnants. If you are palying of courese I am sure that you are using a write blocker so as not to screw up what remains of the original images.
I did try to image the drive to recover the file. It gave me various files with different extention, which didn't help. I also tried to use "unerase" within Norton and that didn't work either. Thanks for the suggestions, I may try other options.