Guys, I've got a hard drive which is from a Windows 2012 Server, which is formatted using ReFS. I've added this to EnCase 7.10.03.11. But I've just got unallocated clusters.
The server was imaged live using ftk imager, and a logical image was taken (done by a colleague).
The server is Windows 2012, no encryption, and no de-duplication.
Any thoughts on how I can maybe get the drive to work, otherwise it's back to site to do another image.
see below
···ReFS·········FSRS··`T··žA········€···················w!~Þq~Þ>···
According to Guidance,
Alternatively, X-Ways has apparently been able to parse it
Have posted on the Guidance Forum and discussed with support, appears that they aren't sure as to what's going on. It could be a bad forensic image, but with limited information in relation to the server, and the imaging process I'm a little stuck as to how I can get it to work. It looks like I may have to get another image done of the server.
The server was imaged live using ftk imager, and a logical image was taken (done by a colleague).
Mentioned is FTK imager taking a logical image, does this image have an AD1 extension?