Partition Finder in Encase or FTK

For most things file system related, I would use X-Ways (or Winhex in a pinch).
Using X-ways you can use the partition finder to locate any deleted partitions and failing that you can use the Refine Volume snapshot to recover deleted file entries and/or carve for specific file types.

That said if you know the type of file system, you should be able to do a search for the volume header and then add the partition manually. Probably worth checking the R-Studio results and examining the sectors it has for the deleted partitions. If you can identify where it says that partition starts and then go to that sector in Encase, you can manually add the partition. Not sure how you do this in FTK as I have never used it.

As a general rule as well, Encase 6 shouldn't really be used now as it hasn't been updated for years and has no support left. Unfortunately, if you want to stay with Guidance, that means moving to Encase 7.

Why would you spend $50 for that?

Do a grep search for 0x55 0xAA at sector offset 510-511. Done.

Totally agree with theunnamed.

Simple data recovery tools like R-studio, Easeus etc performs much better than Encase, FTK, x-ways when it comes to fundamental forensic functions like recovering partitions.

It is known that "partition recovery" is an indispensable stage in computer forensics and it should almost always be done , however neither Encase nor FTK has some easy buttons or menus at hand for recovering partitions.

You pay thousans of dollars and you are still missing the most fundamental functions at hand.

What do they say when you ask them? Himmmm, eerrrr…. I think you need to "write an enscript" or you need to "Find and download an Enscript" or you need to "organize a GREP search and test it and try it again if not works…. blah blah blah… These answers drive us crazy as they treat you asked a question like what is the meaning of life. We simply want to see in our fancy forensic software some fundamental -and still missing- functions which other 40$ tools can already do out there.

Yes, even the most fundamental forensic functions seem to be missing in so-called forensic software. We as examiners need to do - but can not do - the following easily

- recovering partitions (no button or menu at hand and not easily done in Encase or FTK)
- automatically or easily looking at volume shadows, (no button or menu in Encase, FTK seems ok on that)
- mount virtual machines like vhd, wmdk, etc (no button in Encase or in FTK)
- easily carve in particular places of hard drive like unallocated (there is file finder in Encase but you have to specifically select file types one by one, no button in FTK)
- see shellbags, jumplists, lnk files, prefect (no button in Encase or in FTK)
- list of usb drives connected along with dates and times, (no button in Encase or in FTK)
- easily see deleted files in the recycle bin (no easy button in Encase or FTK, you have to read about how to see it and then locate INFO2 file and then do some more work just to see the files in the recycyle bin in an easy and natural way)
-…………

Why do manufacturers not bother asking -and implementing- what we forensic examiners want to have in our forensic software?

It's true that EnCase relies on EnScripts for a lot of functionality. It offers a lot of flexibility but i would love to see more of this offered as built-in functionality.

Several of your examples, however, are incorrect. In EnCase 7, you can recover a partition by locating the volume header in the disk view and right-clicking (it's easy); you can add VMDK and VHD files as evidence files; and, you can view the Recycle Bin entries by just clicking on the Recycle Bin in tree view. For Vista and later Recycle Bin entries, both the $I and $R entries show up in EnCase, but it displays the $R files with the original name for convenience.

-tracedf

To follow up on tracedf's post, EnCase 7 and FTK 6 do display some of the other artifacts such as USB connected devices, lnk files, jumplists, shellbags, etc via the "Case Analyzer" (EnCase 7) and "Gather System Information" (FTK 6) processes.

Totally agree with theunnamed.

Simple data recovery tools like R-studio, Easeus etc performs much better than Encase, FTK, x-ways when it comes to fundamental forensic functions like recovering partitions.

X-ways shouldn't be in that category, it does extensive work for recovering lost partitions, reconstructing RAIDS and locating details of previously existing files.

What do they say when you ask them? Himmmm, eerrrr…. I think you need to "write an enscript" or you need to "Find and download an Enscript" or you need to "organize a GREP search and test it and try it again if not works…. blah blah blah… These answers drive us crazy as they treat you asked a question like what is the meaning of life. We simply want to see in our fancy forensic software some fundamental -and still missing- functions which other 40$ tools can already do out there.

Or they tell you your workflow is wrong. This actually happened to me when I complained on the Encase 7 forum and got a phone call from a representative. Apparently asking to be able to run enscripts on a single item required me to tag ALL files on that item, when I questioned it my 'workflow' was wrong. I did want to kill them at that point.

Yes, even the most fundamental forensic functions seem to be missing in so-called forensic software. We as examiners need to do - but can not do - the following easily

- recovering partitions (no button or menu at hand and not easily done in Encase or FTK)
- automatically or easily looking at volume shadows, (no button or menu in Encase, FTK seems ok on that)
- mount virtual machines like vhd, wmdk, etc (no button in Encase or in FTK)
- easily carve in particular places of hard drive like unallocated (there is file finder in Encase but you have to specifically select file types one by one, no button in FTK)
- see shellbags, jumplists, lnk files, prefect (no button in Encase or in FTK)
- list of usb drives connected along with dates and times, (no button in Encase or in FTK)
- easily see deleted files in the recycle bin (no easy button in Encase or FTK, you have to read about how to see it and then locate INFO2 file and then do some more work just to see the files in the recycyle bin in an easy and natural way)

Again all these functions are easily done in X-ways.
Recovering partitions already covered
Previously existing files in shadow volumes can be recovered using processing in X-Ways
Mounting virtual hard disks is as simple as 3 - 4 button clicks and its added as its own object
Carving can be done at sector boundaries or every byte on hard disk. The files which are carved are then added to case so file sig etc can be done on them. The list of carved files is huge and can easily be added to but includes most picture/movie/compressed/email files and OS artifacts (lnk files etc)
Jumplists, LNK files and prefetch files (inc windows 10 if your using Windows 8.1 on you investigation machine) are parsed by X-Ways.
List of USB devices is extracted from a pre-created registry report.
Recycle bin files are renamed (with original name in square brackets)

I realise I sound like a sales person for X-ways, but its a proper forensic tool which lets you get into the hex quite nicely while Encase seems to hide all that nasty "forensic" stuff away from you.
No idea on FTK as I said I've never used it.
Seen a lot of Police forces in the UK move towards this due to the flaws in other tools.

Regarding this issue.
I would to ask what software do you consider a good option for file carving, specially for docuements and emai files.

Regarding this issue.
I would to ask what software do you consider a good option for file carving, specially for docuements and emai files.

Please start a new thread for that question. Hijacking an old thread is not best practise.

I wanted to note that I recognized that we were not identifying all deleted partition types based on this article and addressed that with our FTK 6.2 release.