Thursday, March 8, 2012

EnCase 7.03 Experiences 002

I stated at the end of EnCase 7.03 Experiences 001 that I would go into greater detail a concern about the copy folders / files option.

I currently have a ticket open with Guidance Software concerning the below issue and will update this post when they respond, and share their response.

The issue:

Again, this is an issue that I have noticed with EnCase 7.03

I have tried three different scenarios and have come up with similar results on all of them.  Two are listed below.

The issue is that when exporting folders from EnCase 7.03, EnCase reports that it is going to export more "space" than is on the volume.  I will explain in more depth by walking through my scenarios:

Scenario 1: A small FAT32 Partition from a Windows 7 Machine.

  In the report of the volume the:
    Total Capacity = 39.1 MB
    Total Allocated = 8.9 MB
    Total Unallocated = 30.2 MB

  When I blue check all and export folders the total size displayed is 43.8 MB which is more than the capacity of the volume.  I followed through to see if just the report was in error, and 43.8 MB exported.
  I removed the unallocated sectors (unchecked) and exported the remainder and was shown 13.6 MB which is more than previously reported.
  I tried just the unallocated (only it checked) and was shown 30.2 MB unallocated, which was the previously shown total.

It appears that the allocated area is having an issue.

Scenario 2: A small NTFS Partition from a Windows Vista Machine.

  In the report of the volume the:
    Total Capacity = 14.6 GB
    Total Allocated = 4.4 GB
    Total Unallocated = 10.3 GB

  This one was similar to the previous but even more pronounced... 
  With Export all I had a total size of 35.4 GB, more than twice the partition size.
  With the removal of unallocated it showed 25.1 GB.
  With just unallocated it showed 10.3 GB.

Again it appears the issue is somewhere in the allocated memory.  Is there any reason that this would report such a vast discrepancy?

www.h11dfs.com

~Hew

Update for EnCase 7.03.01

Sadly this hasn't been fixed.  The errors are still the same.

~Hew

**I got an update on this from Guidance.

The discrepancy is caused by a file named $BadClus.Bad

If/when bad clusters are found they are mapped to this file.  The initialized size is 0 so it is safe, and recommended to be skipped.  This file can potentially be as large as the volume so be careful to deselect it when copying out files.

There is a series of posts in the support files of the Guidance Software site discussing this issue.

https://support.guidancesoftware.com/forum/showthread.php?t=36504&highlight=bad+clusters 
 
 ~Hew
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)