Extract or mount unsupported forensic image files to process them
1. Extract files from a forensic image
1. Mount a forensic image

Extract or mount unsupported forensic image files to process them

Nuix Workstation can process forensic image formats (E01, L01, DD) taken directly from NTFS, FAT32, EXT2, and EXT3 volumes. NTFS ACLs can also be extracted from forensic images. See the list of supported forensic image files in the Image section of the Nuix Supported File Types document for more details.

A built-in database viewer makes it easy to review the content of the Windows Registry and SQLite databases. There are two methods you can process items from unsupported forensic image file formats:

Extract files from a forensic image Mount a forensic image

Extract files from a forensic image

Using a forensic application, such as Guidance Software EnCase or AccessData Forensic Tool Kit (FTK):

Locate the files and directories of interest.

Export the data from the forensic image.

Import the data into Nuix Workstation by selecting Add and then the Add Folder command when creating a case or adding new evidence.

Advantages of using this method are:

It allows you to extract recovered files found using EnCase or FTK.

It bypasses directory and file security.

Disadvantages of this method are:

Once you export the files and directories, there is a chance of the files being altered prior to being ingested into Nuix Workstation.

It requires additional disk space for exporting the files.

Mount a forensic image

Use an application, such as GetData’s Mount Image Pro:

Mount the EnCase (E01), Raw, Smart, ISO, or DD image as a virtual drive on your Nuix Workstation.

Once the image is mounted, add evidence to Nuix Desktop selecting Add and then the Add Folder or Add Files commands.

Advantages of using this method are:

You are examining files and directories in a sealed, read-only environment.

Date and time stamps are not altered as a result of ingesting into Nuix Workstation. There is no need to export files.

There is no need for EnCase or FTK.

If the image contains multiple partitions, you can virtually mount all partitions to examine them.

Disadvantages include:

You cannot examine deleted files.

You may be unable to access files and directories with security privileges for a non-common user or group.