Notifications
Clear all

Partial Drive Image  

  RSS
torcan
(@torcan)
New Member

Good Afternoon,

I was imaging a drive with Paladin (E01 format) and the source drive crashed and did not finish imaging. I have about 250GB of data. Is there anyway to load that partial image into EnCase or FTK. If not how can I get at the data?

Thanks

Quote
Posted : 06/06/2015 2:11 am
jaclaz
(@jaclaz)
Community Legend

See if any among XMount (linux) or Arsenal Image Mounter (windows) or any other tool making use of libewf can mount the partial image and then plainly dd it to a new image.
Otherwise, still within the ewflib
http//forensicswiki.org/wiki/Libewf
you may want to try ewfexport/ewfrecover.

Maybe (cannot say if it is possible with your file) it could be possible to add bytes to your image (as if they were empty sectors on the source disk) to "complete" the image.

jaclaz

ReplyQuote
Posted : 06/06/2015 6:22 pm
mscotgrove
(@mscotgrove)
Senior Member

I would expect if you convert the file to a DD format, then you have a choice of many recovery programs to see what data has been captured.

ReplyQuote
Posted : 06/06/2015 11:50 pm
ellingtond
(@ellingtond)
New Member

Open the image in Encase imager, it will zero out the missing parts, then acquire/export a new image from that.

We do it all the time, email me directly if you have questions. [email protected]

ReplyQuote
Posted : 07/06/2015 12:57 am
Adam10541
(@adam10541)
Senior Member

Xways should be able to work with a partial image as well if you have access to it. You will get an error message on loading that the image size appears incorrect, but then you can work with it as normal.

ReplyQuote
Posted : 08/06/2015 6:50 am
Belkasoft
(@belkasoft)
Active Member

E01 partial drive image is usually not too stable. We've had success when processing such images with Belkasoft Evidence Center, but it is about 50/50 I would say. So I suggest you try to import E01 image first, and, if not, I agree that the best option would be to convert it to DD image, then you are very likely to be able to extract the data out if successfully. Belkasoft Evidence Center will do it automatically for you, and then you can export the findings into EnCase if you want or have to, since the two products are integrated (webinar demonstrating the usage of both tools together https://www.guidancesoftware.com/resources/Pages/webinars/Enhancing-Digital-Investigations-with-Belkasoft.aspx )

ReplyQuote
Posted : 15/06/2015 11:10 pm
Share: