Pixff wrote:
The company has an Old Tableu TD1 and Encase 6 that we used to duplicate an external 1TB USB drive after removing the case using fat32 and splitting the clone into several E01 files. We duplicated the disk to an ordinary 3TB data disk that when put in a HDD bay and connected to my W8 laptop that failed to recognize the filesystem and refused to letting me have access to the disk. I tried acquring the physical disk through Encase. This worlds but just gave me access to the disk clone file structure (including the E01 files) but not the disk that was cloned, is this possible in any way?
Let me see if I get this right.
A. You've imaged the original disk to an EnCase 6 image (.e01) on some computer
B. You've then 'duplicated' that image to a new drive.
C. The new disk, connected to a W8 system, can't be recognized
Question: How exactly did you perform step B? Is it a 'restoration' or did you 'export' the files or ... If restore: How did you verify that step B did produce a true copy? Did you hash it? Or perhaps something less rigorous such as spot-testing random sectors?
Question: (I'm guessing NTFS.) What did you do to bypass NTFS access restriction mechanisms? Any restored file system would have the original NTFS access rules in place, and the first step that normally needs to be done is that an Administrator takes ownership of all 'external' files. Only files that were written with access rights for everyone would be visible on the new system. Is that what stopped you?
Question: What do you mean by 'This worlds but just gave me access to the disk clone file structure (including the E01 files) but not the disk that was cloned'? A 'cloned' disk to me is a sector-by-sector copy ... it can't contain any E01 of the original file.
If you see .e01 files when you preview the new hard disk ... my first guess is that you didn't restore the image correctly, but instead got the image files copied to the drive. Or ... that you didn't really clone the drive, but instead exported the file system to the new drive. And then added the image files to the root directory of the disk.
Quote::
After this we fired up Encase and dragged the first E01 file into Encase, now the file is is visible as an image in Encase named IMAGE, but I can't seem to access the file structure.
(Just pathologically curious: why didn't you do this already after step A? You should have had the files on the system where you had EnCase already then ... )
What version of EnCase 6 are you using? Some releases had problems with the dongle, and occasionally lost contact with it. If that happened, you typically couldn't not do any useful work until the dongle got back on-line (as far as EnCase was concerned).
You may want to examine the case files with something like FTK Imager or OsForensics (or MountImage Pro or ... ) to ensure you've actually have a workable image.
Or ... if it's the NTFS protection that has you stumped ... take ownership of the files.
↧