Team,
I'm trying to recover data from an HFS external HDD with FTK. I've been told there was thousand of pictures but carving didn't find any. The disk also looks like this
Any ideas?
Any steps I could take to recover the folder structure? I'm not familiar with HFS.
Thanks,
Ank
Recover folder structure with carving?? Carving is normally just looking for file signatures and file names and directory structures are all lost.
If no photos are found it could be a few reasons
1) Drive was encrypted
2) There were no photos
3) Photos were a RAW format that is not being carved for
4) Photos are stored in a container - such as a big zip file. In this case simple carving will not work as carving normally looks at the start of a sector
5) There has been a full format on the drive
Check your hardware / approach by trying another HFS drive with photos
I'm not trying to recover folders with carving, but I opened the same disk with Encase (acquisition mode) and I can see the folder structure. I'm more familiar with Encase than FTK so I was wondering if there's something similar to Encase's recover folders in FTK.
What's the best way to detect encryption? If I can see the structure in Encase, does this mean it isn't encypted?
Thanks a lot!
When you write "but I opened the same disk with Encase (acquisition mode) and I can see the folder structure", what is the actual folder structure you see?
Does it look something like
EFI
Apple Core Storage
Unpartitioned/Unallocated
Could you perhaps attach a screenshot?
A normal HFS+ partition should read "Apple_HFS" while an encrypted (FileVault2) partition will read "Apple_Core_Storage"