Announcement

Collapse
No announcement yet.

Can't see PhysicalDrive

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Can't see PhysicalDrive

    Since OSFMount can't mount HFS image files, I mounted the image with FTK Imager, both as a logical and physical drive. I can use OSForensics to access the logical drive (mapped to a drive letter) but when I try to do a Deleted Files Search, I can't see the physical drive (i.e. \\.\PhysicalDrive3)...

    Any ideas?
    Thanks

  • #2
    Since OSFMount can't mount HFS image files
    Did you try? We are thinking it might be OK. But of course to Windows the drive will appear as being unformatted as it won't know anything about the HFS file system (unless you are running special software like MacDrive). It might be the case that the drive letter doesn't appear if there is no supported file system on the drive however.

    What version of OSForensics are you using? We made some changes to the drive detection code recently. I think we might be excluding any drives that don't have any partitions.

    OSForensics is Windows only software for the moment.

    HFS is the Mac file system. So you can't at the moment use OSForensics to investigate Mac's to any great degree. Although you should be able to browse the sectors and carve some data, this won't be as effective as undelete would be for a NTFS drive. For NTFS and FAT we parse the master file tables looking for deleted file records. This won't be done for HFS.

    Comment


    • #3
      OSForensics ver. 087, build 1000. I thought that maybe OSForensics did file carving by header information since it would be looking at the entirety of the physical drive, not just the Windows formatted portion.

      Thnaks

      Comment


      • #4
        Can you try the current beta, V0.92
        http://www.osforensics.com/download.html

        Yes, undelete does both (in later beta releases). If uses both the MFT and does matching on file headers on the raw disk. But to do this you need to check the "File carving" box in the undelete config window.

        Comment

        Working...
        X