Urgent help needed ...
 
Notifications
Clear all

Urgent help needed - Disk imaging crashing

5 Posts
5 Users
0 Likes
158 Views
BChaseAZ
(@bchaseaz)
Posts: 13
Active Member
Topic starter
 

Hi All,

I am under a time crunch to image a suspect drive. I connect the drive to a Tableau imager. I then get an E01 image on my clean media. I take that drive with the E01 image on it and connect it to my forensic workstation which runs Windows 8.1. As soon as the drive is connected, my system blue screens.

As a test, I tried connecting the drive to my Windows 7 PC, and I get an instant blue screen there.

I have now tried to image this driving using two different clean drives for the E01 image. One was a 3TB WD drive, the other a 4TB Seagate drive. Both of these, once they have the E01 image from the suspect drive, cause an instant Blue Screen. Both drives are GUID with ext4. I have never had issues with this process before using the exact same procedure.

As a further test, I connected the WD 3TB drive with the E01 Image through a Tableau write blocker and instead of getting a blue screen, my computer just froze. I had to do a hard reset of the workstation to get the system back up.

Any one have any ideas? I have less than 24 hours left to get an image of this drive.

Thank you.

 
Posted : 03/08/2015 4:37 am
miket065
(@miket065)
Posts: 187
Estimable Member
 

Very odd behavior indeed. Boot your system with a linux boot CD like Paladin or Raptor and see if you can work with the e01. Try to mount it and see if there is a file structure. Also try to verify it.

 
Posted : 03/08/2015 4:47 am
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

My first thought is that your external drive is ext4 and that's causing an issue. If it's worked in the past then potentially there has been a hotfix to Windows which might have an unforeseen knock-on effect on whatever third-party software you're using to read the drive.

Re-format in either NTFS or exFAT and try again, if possible!

 
Posted : 03/08/2015 1:38 pm
jaclaz
(@jaclaz)
Posts: 5135
Illustrious Member
 

Both drives are GUID with ext4.

You mean GPT, of course,
There are some slight differences in the way the good MS guys have (mis)implemented the GPT part of the UEFI "standard" and also the good Linux guys have some let's call them peculiarities in their implementation, it is very possible that this might be part of the issue.
As well it is possible that the source of the issue is - as Chris_Ed already mentioned - the ext4 filesystem.
By default the Windows (7 or 8/8.1 does not change) do not have an ext4 compatible IFS driver, so you must be using a specific third party driver that may well conflict with some of the OS built-in provisions.
But a Blue Screen says very little which is thee actual STOP ERROR code?

Windows 8/8.1 (also 7 but to a lesser degree) have a provision to not automatically attempt mounting a disk or a volume/partition on it, which are used in WinFE
http//reboot.pro/topic/19687-winfe-sanpolicy-and-noautomount-combinations/

With the Automount off, and/or the Sanpolicy 3 you should be able to access the \\.\Physicaldrive without triggering the filesystem driver recognizer and the filesystem driver.

You can use them to exclude some other possible issues (I am presuming you are connecting the disks through USB) with the connection bus (in the Registry or in the actual drivers) and to determine if the issue revolves around the partitioning or around the filesystem.

A good idea could be to verify (from a WinFE or from a Linux) the actual disk with Rod Smith gdisk tool, it tends to be very accurate in pinpointing possible issues in the (GPT) partitioning
http//www.rodsbooks.com/gdisk/

Set aside these, there have been reports of "queer" behaviours with 4Kb sectored disks, GPT style, particularly when used together with some writeblocker, more an unfortunate (rare) combination of OS+hotfixes+specific disk drive+specific write blocker than anything else, but something similar may be happening in your case, JFYI
http//www.forensicfocus.com/Forums/viewtopic/t=11431/

jaclaz

 
Posted : 03/08/2015 2:50 pm
hydrocloricacid
(@hydrocloricacid)
Posts: 37
Eminent Member
 

Be interested in hearing how you resolved this.

Did you boot to Linux and then copy the evidence image files to a HDD formatted by Windows ?

 
Posted : 12/08/2015 1:47 pm
Share:
Share to...