Image file selection
 		Previous Topic  Next Topic 

Home


Cnw Recovery will work with either a physical hard drive, or with a DD image file. This is a file where is there is a one to one mapping of each sector  to the image file. To select the image file, use the drop down drive select box at the top of the screen and select 1: Image file and Backup files.


The screen below will be displayed




The browse function allows an image file to be selected.  This can either be a DD type image, or a supported backup file, such as a Microsoft MTF file


The drive type actually selects the block size.  For a hard disk, the block size is 512 bytes (or 0x200).  A CD and DVD have 2048 byte blocks.  Optical disks come in several variations, which may be selected.


The Image file is in sections (not yet implemented) will allow for systems that generate files, typically in DVD size sections


Shadow Drive


The shadow drive is a useful feature when a disk has only been partially imaged.  This may be the case for a disk with many failures.  If this option is enabled, a physical drive can be set as a shadow drive.  When the disk image is read, and the sector is determined as unread, or failed, the program will try and read the shadow drive.  If successful, the disk image will be updated,  If unsuccessful, due to a total sector failure, the disk image will be marked to indicate that the sector can not be read.  This process ensures that the drive is not worn out by many sector retries.


Forensic Options


For forensic packages, two other file types will be recognised and processed.


Virtual Disk Format

This is an image format built up in sections - refered to as Grains.  The basic image is a sparse image, so only allocated sectors are saved.


Encase E01

The E01 format is a commonly used name for EWF format (Expert Witness Compression Format).  it has been adopted by Encase and is a standard forensic format.  It consists of one or multiple files, with or withourt compression.  As part of the format, each section has it's own MD5 hash value and so is very secure and any corruption in storage will be detected.


Encrypted Drive

This option should be set to read certain WD encrypted drives - (Forensic only option)