Announcement

Collapse
No announcement yet.

Change Drive Letter Mapping

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Change Drive Letter Mapping

    Is it possible to change the DevicePath drive letter mapping associated with an evidence item after the evidence item has already been added to a case?

    For example, an existing case has a laptop image mapped to a "G" drive currently:

    G:\LT001-JOHN-SMITH\tx1_images\LT001-JOHN-SMITH.E01

    However, when I plugged in the drives holding the forensic image and the OSForensics case, the forensic image file now resides on the H drive of my computer.

    I know I can go into Device Manager and change the drive letter from H to G, but I have other databases running on this machine and do not want to change the drive letter.

    Perhaps there is a way to re-connect OSForensics to the forensic image, which now resides on a drive assiged the letter H, without changing drive letter names?

  • #2
    Where possible don't use images on USB drives or network drives. The latency and throughput is typically pretty awful compared to having the image on an internal M2 drive. Unless the image is huge or the investigation job very short, it generally makes sense to copy the image to an internal drive before starting.

    When you start using an new disk image, you generally add the "device" to the case. This makes a new drive handle in OSF.
    So for example files in your E01 image,
    G:\LT001-JOHN-SMITH\tx1_images\LT001-JOHN-SMITH.E01
    will have paths like
    Laptop-C:\users\mypicture.jpg

    This means you can remove the image file from the case and re-add it. As long as when you re-add it, you use the same drive handle name, ("Laptop-C" in the example above).

    Alternative hack
    With OSF closed, edit this XML file.
    C:\Users\<Username>\Documents\PassMark\OSForensics \Cases\<Casename>\Devices\<DriveHandleName>.OSFMet a

    and change this XML line
    <DevicePath>G:\LT001-JOHN-SMITH\tx1_images\LT001-JOHN-SMITH.E01</DevicePath>








    Comment


    • #3
      Thank you, David!

      In terms of you comment below, I agree internal M2 drive throughput is much faster than the USB bus, but in our lab, we keep each different case's images and work product on BitLocker encrypted USB drives, which we store in numbered bins when we are not working on a specific case. Our civil cases can last several years, so we cannot keep images and work product on internal M2 drives or we would quickly run out of space.

      When we need to perform more analysis on a case, we pull out the drives and connect them to one of our forensic workstations, which is why we sometimes encounter the need to remap drive letters.

      "Where possible don't use images on USB drives or network drives. The latency and throughput is typically pretty awful compared to having the image on an internal M2 drive. Unless the image is huge or the investigation job very short, it generally makes sense to copy the image to an internal drive before starting."

      Comment

      Working...
      X