±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36767
New Yesterday: 4 Visitors: 144

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Can't See Drive in Windows

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

DataInvestigator2
Member
 

Can't See Drive in Windows

Post Posted: Apr 25, 06 22:16

I was sent a hard drive from another forensic firm for futher analysis. Very little documentation was provided, however after attaching a write-block device to the drive, I could see that the drive contained multiple drives, with one that contained folders and files and it showed that it was a MAC computer. I was able to "preview" the drive in Encase and conduct some analysis, however, when I tried to view the drive in Windows, load it in Encase or FTK, I can't see the drive (obviously it uses Windows to select the drive).

I tried to image the drive, without success as it appears that I'm looking at an image; although Encase allows me to "preview" it. Did they use Helix or dd to image the drive or is it possible the drive was set-up in a MAC format and that's why I can't see it in XP. I also tired to Export the files....it eventually timed-out. I would like to conduct a complete analysis using FTK or Encase. Any suggestions would be appreciated. Thanks  
 
  

Andy
Senior Member
 

Re: Can't See Drive in Windows

Post Posted: Apr 25, 06 23:49

You haven't really explained how you "could see that the drive contained multiple drives"? Was this when you used EnCase?

Windows cannot view a MAC file system. So what you are experiencing is quite normal if the drive contains a stright copy of the system. If you can see the physical device in EnCase as a preview, then you should be able to image the drive.  
 
  

keydet89
Senior Member
 

Re: Can't See Drive in Windows

Post Posted: Apr 26, 06 00:39

DI2,

What's on the drive you received? It sounds from what you've said so far that the drive may contain multiple images, or partitions.

Can you be a bit more clear regarding what you're dealing with?

Thanks,

Harlan  
 
  

DataInvestigator2
Member
 

Re: Can't See Drive in Windows

Post Posted: Apr 26, 06 01:11

Yes, I didn't make myself very clear. When I "Preveiw" in Encase, I see about 9 drives (8 of them don't have anything in them and one has a complete file structure with unalocated space....about 31 gig). This is where I have been able to conduct word searches and review graphics, but when I sweep case....it doesn't work (probably because I haven't been able to aquire the drive).

So, I went to FTK Imager and attemped to image the drive...I was able to see the drive with the Imager and selected the e01 format. Secured the image and then loaded it into FTK....came up with about 450 unknown files....with no details. In the past I have tried to image an image and put it into FTK, this is the result.

I tend to think it is in a MAC format and that's why I can't see it in Windows. What might I need to load the image into FTK or Encase? Any suggestings.  
 
  

armresl
Senior Member
 

Re: Can't See Drive in Windows

Post Posted: Apr 26, 06 05:32

If it's a Mac, FTK won't read it. 2.0 will but that will be in the summer.

Just out of curiosity, why did you choose the .e01 format?
_________________
Why order a taco when you can ask it politely?

Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. " 
 
  

PaulSanderson
Senior Member
 

Re: Can't See Drive in Windows

Post Posted: Apr 26, 06 13:27

DI2 - why not post a screen shot of the first sector of the drive - we should be able to tell you whether it is a mac or a pc from that.

Deselect the encase option to map the partitions (can't remember what it is called off the top of my head but it is a check box on one of the acquisition screens)

Try getting the write blocker out of the pciture and use linen, encase for dos or dd. This may help you image the drive.
_________________
Paul Sanderson
SQLite Forensics Book
www.amazon.com/SQLite-...entries*=0

Forensic Toolkit for SQLite
sandersonforensics.com...for-SQLite 
 
  

gmarshall139
Senior Member
 

Re: Can't See Drive in Windows

Post Posted: Apr 26, 06 16:53

What you are seeing is a standard Mac partition structure. Eight or nine partitions, with one containing the bulk of the files. That's how Mac's are set up. As you have Encase and a write blocker, just acquire the physical drive. Encase will resolve the file system and you'll be able to conduct your examination as normal. The file system and artifacts are a little different though.

Follow the same procedures as when you preview the disk. Then right click on the physical drive (the one directly above all the partitions in the tree structure) and select acquire. Then select replace source device. You should be in business.
_________________
Greg Marshall, EnCE 
 

Page 1 of 2
Page 1, 2  Next