Knowledgebase:
Adding File System Evidence (Disk image)
Posted by Jack H. Ward, Last modified by Jack H. Ward on 29 January 2018 03:18 AM


File System Evidence is a link to any type of storage device containing files that allows the examiner to view and examine its structure and contents. File system evidence can recover the contents of deleted files and folders on a computer and view compressed files.

File system evidence allows the user to examine data with the following file systems:

  • FAT12
  • FAT16
  • FAT32
  • FATX
  • STFS
  • NTFS
  • Ext2
  • Ext3
  • HFS+

Electronic Evidence Examiner allows you to use the following types of file system evidence:

  • Logical Drive: A logical drive connected to the computer on which the case is opened.
  • Physical Drive: A physical drive connected to the computer on which the case is opened.
  • Separate Folder: A folder on a physical drive connected to the computer on which the case is opened OR a network folder OR a folder on a CD/DVD disc OR a whole CD/DVD disc.
  • Images: A file system or disk images created by PFR, Encase 4-7, Safeback 2-3, VirtualPC 2007, VMWare 1.1, or RAW disk image (created by SMART or other software).

To add new file system evidence to the case:

1. On the Evidence tab, in the Evidence group, click Add Evidence; or right-click the case node and select Add New Evidence; or click Add Evidence on the Welcome screen (if you add evidence before creating or opening a new case, the case will be created automatically and saved to the default location. The name of the case file will be e3).

2. The Add New Evidence window opens.
3. Select the evidence category (Image File) and the Source type. Use the Autodetect option to auto detect the image file type. Use the Drive image option to mount  an image of a physical drive. Use the FAT/FATX/STFS/NTFS/ExtX/HFS partition image to mount an image of a logical drive with a corresponding file system.



4. Navigate to the Evidence Source and select it. Please note, when opening the *.vmdk split images you can select any part of  it, not obligatory the first one.
5. Enter the Evidence name (by default, the name of the file to be added) and click OK.
6. When opening an encrypted image, you need to enter its password. Click OK.
7.When opening a NTFS file system image, you will be asked to define its settings before you open it.
8.The image file is added to the case.
9. The structure of the file system is displayed in the Case Content pane (to the left). The contents of the selected folder/node are displayed in the Data View pane (to the right).
10. You can view the contents of files and folders and unallocated space.

The investigation of file system evidence is possible with the following packages:

  • E3: Universal
  • E3: P2C


Attachments 
 
 Adding File System Evidence 1.png (35.03 KB)
(0 vote(s))
Helpful
Not helpful

Comments (0)