Notifications
Clear all

Partial Drive Image

6 Posts
6 Users
0 Likes
1,132 Views
(@torcan)
Posts: 1
New Member
Topic starter
 

Good Afternoon,

I was imaging a drive with Paladin (E01 format) and the source drive crashed and did not finish imaging. I have about 250GB of data. Is there anyway to load that partial image into EnCase or FTK. If not how can I get at the data?

Thanks

 
Posted : 06/06/2015 1:11 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

See if any among XMount (linux) or Arsenal Image Mounter (windows) or any other tool making use of libewf can mount the partial image and then plainly dd it to a new image.
Otherwise, still within the ewflib
http//forensicswiki.org/wiki/Libewf
you may want to try ewfexport/ewfrecover.

Maybe (cannot say if it is possible with your file) it could be possible to add bytes to your image (as if they were empty sectors on the source disk) to "complete" the image.

jaclaz

 
Posted : 06/06/2015 5:22 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

I would expect if you convert the file to a DD format, then you have a choice of many recovery programs to see what data has been captured.

 
Posted : 06/06/2015 10:50 pm
(@ellingtond)
Posts: 7
Active Member
 

Open the image in Encase imager, it will zero out the missing parts, then acquire/export a new image from that.

We do it all the time, email me directly if you have questions. derek@ellington.net

 
Posted : 06/06/2015 11:57 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

Xways should be able to work with a partial image as well if you have access to it. You will get an error message on loading that the image size appears incorrect, but then you can work with it as normal.

 
Posted : 08/06/2015 5:50 am
(@belkasoft)
Posts: 169
Estimable Member
 

E01 partial drive image is usually not too stable. We've had success when processing such images with Belkasoft Evidence Center, but it is about 50/50 I would say. So I suggest you try to import E01 image first, and, if not, I agree that the best option would be to convert it to DD image, then you are very likely to be able to extract the data out if successfully. Belkasoft Evidence Center will do it automatically for you, and then you can export the findings into EnCase if you want or have to, since the two products are integrated (webinar demonstrating the usage of both tools together https://www.guidancesoftware.com/resources/Pages/webinars/Enhancing-Digital-Investigations-with-Belkasoft.aspx )

 
Posted : 15/06/2015 10:10 pm
Share: