Announcement

Collapse
No announcement yet.

Unable to expand DD or E01 files

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Unable to expand DD or E01 files

    I am new to OS Forensics and falling down at the first hurdle, i have got 2 images of the same machine, 1 DD and 1 as EO1, but when i add either of them to the case and try to do anything nothing comes up. Both files are fairly big (obviously DD being a lot bigger) and they are both connected to OS Forensics but when i go into file system browser i cannot expand them, is there a step here i am missing?Click image for larger version Name: Screenshot 2023-11-06 161044.png Views: 172 Size: 5.7 KB ID: 56188
    Tags: None
  • #2
    What are the file systems of the images?

    What version of OSF are you using?

    Can we get a copy of the image?

    Can we get a debug log? See,
    https://www.osforensics.com/faqs-and...ebug-mode.html

    Comment

    • #3
      The machine that these images were taken were just Windows 10 Enterprise, I have them in 2 formats DD and EO1 but both seem to be the same outcome, which is in my original screen shot.

      I am running v10 of OSF

      Ive got the debug log which i can email through

      Comment

      • #4
        Yes, please Email the log files.
        (make sure you attempt to browse the file structure, before collecting the log to send to us)

        Did you image the entire hard drive, or just a single partition?
        What is the size on disk of the E01 and RAW image file?

        OSForensics V11 Beta is also now available. However the behaviour is likely the same in this regard.

        Comment

        • #5
          We got the log files. Thanks.

          Isn't conclusive with the limited information we have, but our guess is that the disk were encrypted with full disk encryption (maybe at hardware level, maybe the "HP Drive lock" feature?) and so the disk images you have are also encrypted.

          Comment

          • #6
            Also, what you can do is inspect the raw data in the image with the "Raw Disk viewer" module. Especially the first two sectors.

            If the drive was formatted with GPT, you should see a protective MBR entry (purple circle) and then a GPT style partition table (red circles). See example below.

            If however your data in the first two disk sectors looks completely different to this (e.g. random data), this would be a sign of full disk encryption.
            Click image for larger version Name: GPT-Hex-dump.png Views: 165 Size: 554.7 KB ID: 56213


            Comment

            • #7
              Update: After additional investigation, it seems that the drives were wiped clean (completely zeroed) before the disk image was made. So this explains the inability to find any files on the disk.

              Comment

              Previous template Next
              Working...
              X