Since now you have the image, you should IMHO "delay" the "forensic part" and then "fork" it.
Make a copy of the image.
Make a second copy of the image.
Repair the filesystem on the first copy of the image (i.e. attempt doing a filesystem based recovery).
Once you have this (hopefully) fixed filesystem/volume do a "diff" of these repaired image against the second copy.
Check which/what/how the repairing altered the first copy (i.e. what specifically were the changes made by the repair process).
Document them.
Verify the exact nature of these changes (as an example - for simplicity - let say that a single word, the "Magic bytes" 55AA were missing in the "corrupted" filesystem/volume VBR and that it was all that the recovery process changed), of course resetting those two bytes to the "standard" (and needed) value are NOT altering the evidence in any way (i.e. the consequence of that change will not create from thin air a compromising file), see:
http://www.forensicfocus.com/Forums/viewtopic/t=11739/
Then run Encase (or whatever) on the repaired first copy, get all the reports you need, etc.
Then run Encase (or whatever) on the "untouched" second copy, carving the "raw" data, if the *whatever* you need finding (and is useful for the case) can be found on this untouched copy, you are fine and will never need to produce the "repaired" copy or the reports created from analyzing it.
jaclaz
↧