| Author | Message | ||
     Anonymous |
I'm very interested of the features of your new Winhex-F (forensic). The can read and edit ENCASE files, too, that's right ? Can Winhex-F also re-onvert the Encase-Evidence files into the orginal stae of the HD ? Means: If I produced of a HD by Encase the evidence files. It is possible in an easy way by winhex-f to "undo" that operation, means to reconvert the evidence files into the orginal sate of the HD before making the evidence files ? If yes, you can give a hint ? (Complicated proceedure ?) I would be very pleased about your answer :-) | ||
| Stefan Fleischmann (Admin) |
Yes, X-Ways Forensics and WinHex with a forensic license can read Encase image files (but not edit them). You can also copy an Encase image back to a hard disk or hard disk partition. > into the orginal sate of the HD > before making the evidence files Into the original state of the HD exactly *when* the Encase image was created, yes. If that is what you meant and you need further details, please feel free to ask again (not anonymously, please). | ||
| G. Roberts (Winhexer) |
Many thanks Mr. Fleischman for your quick reply. That's what I want: To "undo" the ENCASE file production by re-transform the encase image (evidence) file into the original state of the HD (of which I have taken the Encase file). Can you give me a concrete hint how I can do it by X-way Forensic ? It is possible to re-transfor it with Winhex, too ? Would be very pleased about your answer so that I can decide which prog I have to get. Thanks in advance. I have the opinion that your prog is very valuable for cases of HD probs which happens in time of long evaluated "secure" OS more and more. | ||
| Stefan Fleischmann (Admin) |
HOW TO RESTORE AN ENCASE IMAGE BACK TO A HARD DISK 1. Open the Encase image file in WinHex. 2. Make sure it is recognized as an image file and treated as such by using Specialist | Interpret Image File As Disk. 3. Now that the image file is treated by WinHex in a similar way as a disk, you can find it the disk selection dialog when select the source disk under Tools | Disk Tools | Clone Disk. Select the hard disk where to restore the image to as the destination and start the cloning process. A forensic license is needed for Encase images to be supported. The outlined procedure can be accomplished in both WinHex and X-Ways Forensics. | ||
| G. Roberts (Winhexer) |
Thx Mr. Fleischmann for the hint A last matter: Can I use winhex after having bought an additional license for it ? Or must I buy X-Forensic new (seams to be another prog with different fils, right) ? The adding licence of winhex would be cheaper ? :-) | ||
| Stefan Fleischmann (Admin) |
The only difference between X-Ways Forensics and WinHex with a forensic license is explained here. Otherwise they are identical. Additional licenses are offered at a reduced price as a kind of volume discount. If you do not yet have a base license, you cannot benefit from the volume discount provided with additional licenses. One base license is required. Additional licenses are required only if you wish to use the full version on more than one computer. | ||
| Stefan Fleischmann (Admin) |
I forgot to mention: 4. If the image does not contain an entire physical hard disk, but a partition only, and you copy it to a partition that is mapped as a logical drive letter in Windows: In order to see the update drive contents immediately and flush Windows' internal cache without rebooting Windows, execute chkdsk /X on the drive. | ||
| George Wiegers Username: gwiegers Registered: N/A |
Can WinHex open up a partial EnCase Image? My team members started acquisitions of two separate 4 GB USB flash drives, but the acquisitions had to be interrupted, so the EnCase images are not complete. When we try to open them in EnCase, I get the following messages: 1) Error: "E:\ItemXX.E02" has missing block table entries and cannot be read - no data appears at all; OR 2) "E:\Item06.E02" cannot be found, choose a new path; and I answer NO to this question, and finally EnCase replies "Multiple missing and/or corrupted files. The evidence will be zeroed out from sector 0" I only have a WinHex specialist licence, but I'm quite willing to upgrade if WinHex/X-Ways can open such partial files, and give me whatever results it can... Thanks, - George - | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
Yes, X-Ways Forensics will be able to show you at least the contents of the sectors that have been stored in the .E01 segment. |