±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36583
New Yesterday: 6 Visitors: 148

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Dealing with very large amounts of data

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

joethomas
Senior Member
 

Dealing with very large amounts of data

Post Posted: Mar 18, 09 16:08

I've just had to image a spanned raid of over 2TB which had the entire MFT corrupted, and I need to recover all of the contents. The disks were almost entirely full. X-Ways won't deal with spanned disks of over 2TB, FTK won't recover the folders and EnCase eventually recovered the folders fine but is telling me that it will take over 100 years(!!!!!) to copy the folder structure and files back.
Now, seeing that I can't really wait 100 years to get the information I need, does anyone know of any tools out there that will do this job a lot quicker?

Joe Thomas  
 
  

mobileforensicswales
Senior Member
 

Re: Dealing with very large amounts of data

Post Posted: Mar 18, 09 16:15

- joethomas
does anyone know of any tools out there that will do this job a lot quicker?

Joe Thomas


If you use the EnCase virtual disk emulator you will be able to mount the disk with the recovered folders present in thee mount Very Happy

You can copy them out or search through their contents any way you please then

Hope this helps

Steve  
 
  

joethomas
Senior Member
 

Re: Dealing with very large amounts of data

Post Posted: Mar 18, 09 16:21

Will that keep the folder structure?  
 
  

mobileforensicswales
Senior Member
 

Re: Dealing with very large amounts of data

Post Posted: Mar 18, 09 16:25

Yes, the virtual disk emulator (mount as network share) keeps everything thats shows in encase

Physical disk just shows things from the original E01's :S

Hope I've got that the right way round, I'm 100% sure one of them keeps recovered folders and mounted files 95% sure its the Virtual disk emulator Very Happy  
 
  

joethomas
Senior Member
 

Re: Dealing with very large amounts of data

Post Posted: Mar 18, 09 16:28

Ah, yes i've just tested it on a spare machine and that appears to work... I will need to reboot my system though which means waiting 9 hours for the case to load!

Thanks

Joe Thomas  
 
  

DFICSI
Senior Member
 

Re: Dealing with very large amounts of data

Post Posted: Mar 18, 09 16:30

Beware of the problems with mounting as a network share in EnCase. It has been reported that the first 4GB are copy over and over so you only ever see the information from the fist 4GB.
_________________
The views expressed by me do not reflect on my employer or the quality of work I produce Wink
www.forensic4cast.com 
 
  

mobileforensicswales
Senior Member
 

Re: Dealing with very large amounts of data

Post Posted: Mar 18, 09 16:31

Glad I could help, I only recently picked that up on an EnCase course myself its a very useful function

Will have to be buying that module myself I think. If you are having problems mounting it though ensure ll your certs and extra modules are up-to-date or you might end up spending the 9 hours opening the case for nothing lol  
 

Page 1 of 2
Page 1, 2  Next