Hi Guys and Gals,
I'm using EnCase.
Currently I got a incomplete set of evidence files. Let say the full set should have 20 evidence files but only got 10 of it.
Can I still mount it in EnCase?
Regards
BlueDragon
I've come across that previously. I had 24 good files out of about 30. The files did mount in encase, and from memory I was able to examine the data from the evidence files up to the first missing one. Luckily the section I needed was near the start.
Will you explain how to mount it in EnCase?
I try but I either got error message of that I got missing evidence files.
Bear in mind I'm at home and can't test any of this. Previously when I faced this problem;
Using Encase 6.7, start a new case, add device, browse to the first image (e01) file (as long as you have the first one)
Encase then worked through the image files and asked for a location for the missing one. There was also an option to skip or ignore, then it asked for the next evidence file in the sequence. It did this for all the missing ones, then gave a message that due to the missing evidence files, only sectors 0-xxxxxxxxxx would be available for analysis.
This may be something new to ver. 6.
There may also be answers in the Guidance forums; http//
Thanks Darren, will try it out.
Open the case like normal. Encase will prompt you for the next evidence file location. When you are unable to point encase to the next segment you will get a message that the sectors in the missing segments will be filled with 0's and inaccessible.