Announcement

Collapse
No announcement yet.

How to access your raw format usb stick with OS Forensics?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to access your raw format usb stick with OS Forensics?

    I need to access my usb stick which is in raw format. I'm not after deleted files, I repeat I'm not after deleted files
    only the files that are sitting there right now but not accessible due to the usb being in raw format. This usb was previously in fat format but morphed
    into raw.If it's possible to access my files in a raw format usb then what steps do I need to take?

    Where do I find the manual for OS Forensics?
    Thank you in advance.

  • #2
    Raw is not actually a file system, nor a format.

    When people talk about raw, they generally mean there is no file system and not formatting / partitioning (or that they want to ignore the file system and just look at the 'raw' disk sectors).
    Raw is the absence of a file system.

    So the whole concept of accessing files in a raw format doesn't really make sense.

    Unless you want to look at the actual disk sectors in hexadecimal? OSForensics will do this for you using the raw disk viewer module.

    In truth if the FAT file system has been corrupted or overwritten, then the files are more or less deleted (or at least orphaned without an index reference in the file allocation table). The exact state of play will depend on how badly your USB drive 'morphed'. Also, morphed might not be the correct technical term, we in the industry prefer the term, 'totally fubar'.

    Comment


    • #3
      Originally posted by David (PassMark) View Post
      Raw is not actually a file system, nor a format.

      When people talk about raw, they generally mean there is no file system and not formatting / partitioning (or that they want to ignore the file system and just look at the 'raw' disk sectors).
      Raw is the absence of a file system.

      So the whole concept of accessing files in a raw format doesn't really make sense.

      Unless you want to look at the actual disk sectors in hexadecimal? OSForensics will do this for you using the raw disk viewer module.

      In truth if the FAT file system has been corrupted or overwritten, then the files are more or less deleted (or at least orphaned without an index reference in the file allocation table). The exact state of play will depend on how badly your USB drive 'morphed'. Also, morphed might not be the correct technical term, we in the industry prefer the term, 'totally fubar'.
      The files are still there according to another data recovery tool called easeUS.
      What do I need to do using OS Forensic to open these files in that raw usb?
      Specifically what do I need to click on the left hand side of OS Forensic menu?
      Am I able to make a image of the usb in question with OS Forensics before attempting recovery just in case?

      Comment


      • #4
        Yes, you can image the drive with OSForensics. ImageUSB can also do this.

        EaseUS deals with deleted files. OSForensics can do this as well. But you have already ruled out dealing with them as deleted files. Even though they are probably deleted files.

        So your options are,

        1) Do some research and work out what is wrong and fix it. e.g. Fix the partition table, Fix the file allocation table, etc.. During this exercise you might find the drive has a physical error (you didn't describe how the morphing happened so anything is possible). In this case you need to move all the data to a new flash drive, then repair the missing data structures.

        2) Treat the inaccessible files as deleted files. If FAT has totally gone, then you might need to carve the files. If there are fragments of the FAT remaining, then maybe some parsing is possible with the right tools.

        3) Take it to a professional file recovery service, who will do 1) or 2) for you.

        Comment


        • #5
          Originally posted by David (PassMark) View Post
          Yes, you can image the drive with OSForensics. ImageUSB can also do this.

          EaseUS deals with deleted files. OSForensics can do this as well. But you have already ruled out dealing with them as deleted files. Even though they are probably deleted files.
          I will treat them as deleted files if it means I can get them back.
          Should I make another image of them with OS Forensics too?

          Comment


          • #6
            I have a list of EnCase's Evidence File format that were obtained using FTK Imager. What would I need to select
            from the menu options on the left-hand side of OS Forensics to actually open and view their contents? Procedure?

            Comment


            • #7
              Cyber101... I'm assuming you have an EnCase E01 image file which is a segmented image file that looks similar to (e.g., filename.E01, filename.E02, filename.E03, etc., etc.) This should walk you through adding this EnCase image into OSF.

              1. Click on "Manage Case" and either create a new case or open an existing one.
              2. Select "Add Device" (new windows opens)
              3. Select the radio button for "Image File" and then click the button with the three "..." to point OSF to your image file.
              4. Navigate to where your EnCase forensic image is stored and select ONLY the file with the ".E01" extension. (Larger images will have several other segmented files such as filename.E02, filename.E03, etc.,etc., but you just need to select the first file which will have the .E01 extension.) 5. Select "Open", then click on "OK"
              6. You should now be able to data carve the image for known file types by using the "Deleted File Search" feature, and making sure you go into the "Config" options and check-mark the box that says "Enable File Carving (slow)".

              Hope this helps. You can always reference the OSF help file (i.e., user manual) by visiting: http://www.osforensics.com/downloads/OSF_help.pdf
              Last edited by JeffS; Nov-25-2016, 04:30 PM.
              - Jeff S.
              PassMark Software

              Comment


              • #8
                To recover files from a corrupt drive (once you have made a backup image), try TestDisk. It will find any files and save them to another drive for you.
                http://www.rmprepusb.com/tutorials/file_recovery

                Comment

                Working...
                X