Some of the potential problems are,
- Export files to a different file system means you can lose meta data (like who owns the file) and lose file time accuracy. Then down the track you are also likely to loose information like the file access time.
- Saving files with their original path runs the risk of exceeding the file path length limits.
- Some paths can not be saved in some file systems (e.g. FAT32 and NTFS have different allowed characters).
- You can lose NTFS streams. For example if a file has been downloaded from the Internet that fact it stored in an alternative NTFS file stream.
- Any information that might have in the file slack space is lost
- Any deleted records in the MFT are lost ($I30 records, etc..)
- Loss of shadow copies of files
- There is the real risk of a file name collision and data loss unless you are really careful about using different folders for each volume. So for example, D:\Document.doc and E:\Document.doc overwrite each other once you export them to a new folder.
- Loss of image thumb nails.
Anyway:
If you just want all files of certain types dumped into a single folder it is fairly easy. As an example, steps are,
- Go to the File Name search window in OSF.
- Select Office documents from the drop down list (you can customize this drop down list to have your list of file extensions)
- Click on Search. Then CTRL-A to select all the documents found.
- Right click, then from the menu select Saved checked items to disk.
C:\Users\<UserName>\Documents\PassMark\OSForensics \Cases\<Casename>\Files\<HashedPath>\<FileName>
This has the advantage that
a) you can't get a file name collision
b) you can't overflow the max path length
c) a lot of meta data is stored with the file, like SHA1 hash values, accurate NTFS times & the original volume name.
You can then supply this \<Casename>\Files\ folder to the client.
But:
If the end game is to get just these files indexed and searchable, then you can do this all within OSF. You can select just these file types in the create index process and index them. Then provide the searchable index to the client. Maybe you don't need some expensive ediscovery tool.
Leave a comment: