Forums
Main Category
General (Technical,...
Need to Access DD I...
 
Notifications
Clear all

Need to Access DD Images on External Hard Drive

 
Page 1 / 2
General (Technical, Procedural, Software, Hardware etc.)
Last Post by Beetle 15 years ago
13 Posts
11 Users
0 Reactions
701 Views
RSS
 ForensicGA
(@forensicga)
New Member
Joined: 15 years ago
Posts: 1
Topic starter 30/09/2010 3:20 am  

Hello,
I have an external hard drive with dozens of DD image files of a hard drive that was examined by a forensic's company last year. They told me that the Helix Pro software that I have would have no problem reading the files but that appears to be wrong.
Someone at AccessData.com told me that their FTK Imager software would read the files but the Lite version does not appear to do that. I am downloading the 4.4 gig file of the full blown software now. They also told me that the latest version Helix Pro software that I have would not read these files.
So, could someone please give me some suggestions on an easy way to get into these files. (Hold on while I utilize the Bang Head Here Poster to Relieve Stress).
Thank's!

Michael


   
Quote
 douglasbrush
(@douglasbrush)
Prominent Member
Joined: 16 years ago
Posts: 812
30/09/2010 3:29 am  

DD images can be viewed and mounted several different ways. FTK Imager is a great solution. What where the challenges you had with that software.

Also another great free utility is ImDisk.

Commercially there is software such as Mount Image Pro.

It all depends on what you want to do with the data. You are at point A where is point B?


   
ReplyQuote
 Anonymous
(@Anonymous)
Guest
Joined: 1 second ago
Posts: 0
30/09/2010 3:56 am  

4.4GB? If you mean the full "Forensic Took Kit", you'll need the dongle as well to run the program to the point to open a dd image. A single image will certainly exceed the demo version of FTK.

If FTK Imager cannot open a dd image, as mentioned, try Mount Image Pro. There is a full version demo period. That should open the dd image. If MIP fails, then it is probably a fault with the image.

And when you say there dozens of dd images of one hard drive contained on a single hard drive, are these copies of the same dd image? Something doesn't sound clear.


   
ReplyQuote
Logan
 Logan
(@logan)
Trusted Member
Joined: 15 years ago
Posts: 66
30/09/2010 1:25 pm  

Mount Image Pro is a great tool, and you can use the program in full on a 14 day trial.


   
ReplyQuote
 DFICSI
(@dficsi)
Reputable Member
Joined: 19 years ago
Posts: 283
30/09/2010 2:48 pm  

Of course EnCase and X-Ways will process raw files if you have either of that software.

The 4.4GB is the full version of FTK and costs a couple of thousand dollars.

It might just be the way you're coming across but this is a fundamental part of doing forensics work. If you don't know what you're doing you are putting your own reputation and your client at risk.


   
ReplyQuote
 Walkabout_fr
(@walkabout_fr)
Trusted Member
Joined: 19 years ago
Posts: 67
30/09/2010 4:23 pm  

You're positive they're dd images and not some other kind of proprietary format ?

Dozens of dd images would mean you're looking at the split image of a disk.

FTK imager handles these without any trouble (although I'm not sure if you have to select the first segment or all the segments when doing the "add evidence item" part) and it would allow you to convert it into a single dd file which would be accepted by most forensic software.

Telling us exactly what is not working would be a great help…


   
ReplyQuote
 Anonymous
(@Anonymous)
Guest
Joined: 1 second ago
Posts: 0
01/10/2010 10:51 pm  

Curious, but were did these "dozens of DD image files" end up being one image of a hard drive segmented? With an ID of "ForensicGA", I am possibly incorrectly assuming you know a little something about forensics.


   
ReplyQuote
 forensicakb
(@forensicakb)
Reputable Member
Joined: 16 years ago
Posts: 316
02/10/2010 3:00 am  

I wish that were the case, but there are plenty of people who have names with professional, pro, expert, 7337, etc. in their name ask where is the Windows folder on an XP machine or how can I tell when a file was last accessed.

Not sure the OP understands what they need.

See that it is asked the "easy" way to do it, not the "best" way.
Reminds me of Iphone work, there is an "easy" way, and there is a "best" way.

quote="frankshells"]Curious, but were did these "dozens of DD image files" end up being one image of a hard drive segmented? With an ID of "ForensicGA", I am possibly incorrectly assuming you know a little something about forensics.


   
ReplyQuote
 a_kuiper
(@a_kuiper)
Trusted Member
Joined: 16 years ago
Posts: 69
02/10/2010 4:27 am  

No need to open your wallet…

Linux use xmount (http//www.pinguin.lu)
Windows use mount_ewf (http//sourceforge.net/projects/libewf)

Both mount dd, e01,…


   
ReplyQuote
mobab
 mobab
(@mobab)
Active Member
Joined: 16 years ago
Posts: 10
02/10/2010 5:59 pm  

No need to open your wallet…

Linux use xmount (http//www.pinguin.lu)
Windows use mount_ewf (http//sourceforge.net/projects/libewf)

Both mount dd, e01,…

… or affuse (on Linux) if you have splitted DD-Images.


   
ReplyQuote
Page 1 / 2
Forum Jump:
  Previous Topic
Next Topic  
Share: