Notifications
Clear all

Can't See Drive in Windows

10 Posts
7 Users
0 Likes
937 Views
(@datainvestigator2)
Posts: 10
Active Member
Topic starter
 

I was sent a hard drive from another forensic firm for futher analysis. Very little documentation was provided, however after attaching a write-block device to the drive, I could see that the drive contained multiple drives, with one that contained folders and files and it showed that it was a MAC computer. I was able to "preview" the drive in Encase and conduct some analysis, however, when I tried to view the drive in Windows, load it in Encase or FTK, I can't see the drive (obviously it uses Windows to select the drive).

I tried to image the drive, without success as it appears that I'm looking at an image; although Encase allows me to "preview" it. Did they use Helix or dd to image the drive or is it possible the drive was set-up in a MAC format and that's why I can't see it in XP. I also tired to Export the files….it eventually timed-out. I would like to conduct a complete analysis using FTK or Encase. Any suggestions would be appreciated. Thanks

 
Posted : 25/04/2006 10:16 pm
 Andy
(@andy)
Posts: 357
Reputable Member
 

You haven't really explained how you "could see that the drive contained multiple drives"? Was this when you used EnCase?

Windows cannot view a MAC file system. So what you are experiencing is quite normal if the drive contains a stright copy of the system. If you can see the physical device in EnCase as a preview, then you should be able to image the drive.

 
Posted : 25/04/2006 11:49 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

DI2,

What's on the drive you received? It sounds from what you've said so far that the drive may contain multiple images, or partitions.

Can you be a bit more clear regarding what you're dealing with?

Thanks,

Harlan

 
Posted : 26/04/2006 12:39 am
(@datainvestigator2)
Posts: 10
Active Member
Topic starter
 

Yes, I didn't make myself very clear. When I "Preveiw" in Encase, I see about 9 drives (8 of them don't have anything in them and one has a complete file structure with unalocated space….about 31 gig). This is where I have been able to conduct word searches and review graphics, but when I sweep case….it doesn't work (probably because I haven't been able to aquire the drive).

So, I went to FTK Imager and attemped to image the drive…I was able to see the drive with the Imager and selected the e01 format. Secured the image and then loaded it into FTK….came up with about 450 unknown files….with no details. In the past I have tried to image an image and put it into FTK, this is the result.

I tend to think it is in a MAC format and that's why I can't see it in Windows. What might I need to load the image into FTK or Encase? Any suggestings.

 
Posted : 26/04/2006 1:11 am
(@armresl)
Posts: 1011
Noble Member
 

If it's a Mac, FTK won't read it. 2.0 will but that will be in the summer.

Just out of curiosity, why did you choose the .e01 format?

 
Posted : 26/04/2006 5:32 am
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

DI2 - why not post a screen shot of the first sector of the drive - we should be able to tell you whether it is a mac or a pc from that.

Deselect the encase option to map the partitions (can't remember what it is called off the top of my head but it is a check box on one of the acquisition screens)

Try getting the write blocker out of the pciture and use linen, encase for dos or dd. This may help you image the drive.

 
Posted : 26/04/2006 1:27 pm
(@gmarshall139)
Posts: 378
Reputable Member
 

What you are seeing is a standard Mac partition structure. Eight or nine partitions, with one containing the bulk of the files. That's how Mac's are set up. As you have Encase and a write blocker, just acquire the physical drive. Encase will resolve the file system and you'll be able to conduct your examination as normal. The file system and artifacts are a little different though.

Follow the same procedures as when you preview the disk. Then right click on the physical drive (the one directly above all the partitions in the tree structure) and select acquire. Then select replace source device. You should be in business.

 
Posted : 26/04/2006 4:53 pm
(@datainvestigator2)
Posts: 10
Active Member
Topic starter
 

GMarshall, you were right, I tried this last night. I was able to aquire the image (within a folder) in Encase and it worked fine. I could copy files out to FTK (mail) and that worked well too. I also confirmed that you can't load a MAC image into FTK which was pointed out in an earlier post; that was good.

I still got the error (Script 1 out of range) when I tried to "sweep" the case within Encase….not sure why. Maybe I will look at Guidence Software's website for answers there. Thanks for the help and suggestions…..I'm on my way.

Oh, and why I use .e01 for the format of the image….because that's what I'm familiar with and know that it will load within Encase and FTK. Yes, I have seen posts suggesting other formats, including raw and dd….never tried them.

 
Posted : 27/04/2006 1:43 am
(@gmarshall139)
Posts: 378
Reputable Member
 

I have run into some script errors recently as well. Tech support will get you through. Usually it's a simple fix.

 
Posted : 27/04/2006 7:46 am
mark777
(@mark777)
Posts: 101
Estimable Member
 

If it helps - my Colleague recently had a MAC to do and struggled with EnCase but found that WinHex Forensic worked wonderfully well with it.

 
Posted : 28/04/2006 1:32 pm
Share: