Encase V3 has support for stripped disks. You have to create encase evidence files for each disk (software RAID) and then import them into a case file and EnCase will see them as "a" drive. Warren G. Kruse II Investigations Manager Lucent Security- Forensics Team Lead 732-949-8713 732-332-6300 (FAX) wgkruseat_private -----Original Message----- From: Frank Knobbe [mailto:FKnobbeat_private] Sent: Friday, July 27, 2001 6:47 PM To: 'Ben Ford'; forensicsat_private Subject: RE: NTFS forensic analysis on Unix platform *** PGP Signature Status: good *** Signer: Frank Knobbe <FKnobbeat_private> (Invalid) *** Signed: 7/27/2001 6:46:45 PM *** Verified: 7/29/2001 1:58:18 PM *** BEGIN PGP VERIFIED MESSAGE *** > -----Original Message----- > From: Ben Ford [mailto:bfordat_private] > Sent: Wednesday, July 25, 2001 6:09 PM > > Remember that NTFS is a "journaling" filesystem so dont' > expect to be > able to undelete a whole lot. > > You can always grep the partition without even mounting it tho. Which is what you would typically do anyway (not mounting the drive, but using a program to sift through the disk). That raises one question though: How do you grep or sift through two striped disks without mounting them? Does EnCase or similar tools provide support for striped NTFS disks? Regards, Frank *** END PGP VERIFIED MESSAGE *** ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jul 29 2001 - 12:50:16 PDT