I'm trying to familiarise myself with Encase (v4). However, when I add my USB device to the case, all of the sectors are apparently unallocated. The text and hex views are not full of zeroes and so i'm confused.
As I say, this is most likely a stupid question but it's all part of the learning I suppose.
Thanks
Am I being too vague?
So….are you sure that the USB device (can you tell us what kind of device it is?) has files on it?
If so, you should see the files when you bring the device into EnCase.
Whether the sectors have 0s or not isn't important.
Hi
Thanks for the replies. My USB does indeed have files on it and it's using the FAT32 file system.
I'm sure i'll get used to this software soon enough. It's quite fun piecing the information together using the File System Forensic Analysis Book!
This could be a stupid question back, but is it a 'proper' copy of EnCase4, complete with dongle, or are you seeing 'Acquisition Edition' the top?
If you are and you have a dongle, maybe the dongle drivers aren't installed properly.
Like I say, could be a stupid question…..
Yes i'm using the acquisition edition
Yes i'm using the acquisition edition
Which will only yet let you acquire an image, and not look at file systems from an image you acquire.
A USB device, although it may come up as a physical device, is truely a logical device. Thus, when you read the file system, the logical partition starts on sector 0 opposed to 63. When adding your USB device, add the Logical letter and you will see your file system. The data being displayed will be both the allocated and unallocated. This is my guess from what I've read so far. Give it a try and let us know.