Physical vs. Logical

EnCase® allows the investigator to restore either a logical volume or a physical drive. The processes are entirely different. Most often, when complying with discovery issues, one must perform a physical restore, not a logical one. Logical restores are less desirable as they cannot be verified as an exact copy of the Subject media. When a drive is restored for the purposes of booting the Subject machine, which is sometimes desirable, a physical restore is the correct choice.

Physical Restore

Restoring a physical drive means that EnCase® will copy everything, sector-by-sector, to the lab drive, thereby creating an exact copy of the Subject drive. The lab drive must be larger than the Subject's hard drive. When EnCase® completes the restore it will provide the hash values verifying that the lab drive is an exact copy of the Subject drive. If a separate, independent MD5 hash of the lab drive is run, be certain to choose to compute the has over only the exact number of sectors included on the suspect's drive so that the MD5 hash will be accurate.

Following good forensic practices, it is a good idea to wipe target hard drives before restoring images to them. (EnCase® will overwrite any data on the target hard drive with the data from the image, and you can opt to overwrite the remaining sectors (the unused portion of the drive) with any hex character of your choice (00 hex being the default). But better safe than sorry, yes?)

To restore a drive, physically:

1) Right-click on the evidence file icon under the Case view within EnCase® and select "Restore Drive..." from the pop-up menu.

2) You will be presented with a list of possible destination to restore the physical disk to. For our example, we'll select "Local Devices". Notice the "physical disks" is already checked for you. Hit NEXT.

3) You will be presented with a list of drives that are available to restore to. EnCase® does not allow the investigator to restore the image to the drive that the operating system is running on. Select the drive to restore the image to, and hit NEXT.

4) This screen gives you several options. First, whether you want to wipe the remaining sectors on the target hard drive with a hex character. We recommend that you leave this checked.

EnCase® can also run a verify on the restored sectors to confirm that it is indeed a sector-by-sector copy of the original Subject media. Again, we recommend that you leave this checked.

Sometimes you will see the Convert Drive Geometry option greyed-out, other times not. Why is that? It is entirely dependent on the drive geometry of the original drive vis-a-vis the restore drive. Drive geometries are of certain "types". Every drive has a certain Cylinders-Heads-Sectors (CHS) drive geometry information. If the Heads and Sectors of the original drive imaged are identical to the target restore drive, then the drives are of the same "type" and the "Convert Drive Geometry" check-box will not be available. If the drives are of different types (as in, the heads-sectors settings are different), then the "Convert Drive Geometry" check-box will be available.

For physical restores, you will want to check the Convert Drive Geometry check-box if it is available.

Lastly, EnCase® fills in the number of sectors from the Subject hard drive in the last two fields, its starting sector and last sector. This basically is telling EnCase® where to begin and finish restoring the image to the target hard drive. You will most likely go with the defaults for these fields.

Hit FINISH when done.

5) EnCase® forces you to confirm that you want to restore to the designated drive. Type YES in the field then hit the YES button.

The physical restore begins. A status bar on the EnCase® screen will let you know how progress is going. When the retore is finished, EnCase® will display a verification message showing such information as any read or write errors, and the hash values for both the evidence file and the restored drive. They will match.

Logical Restore

Restoring a logical volume requires different preparation. Media have different "types" depending on the CHS (cylinders-heads-sectors) information. The same type might have different "cylinders" settings, but their heads and sectors information (the HS in CHS) will be the same. If the heads-sectors information is different, then you have media of a different type and should find another target restore hard drive. A logical volume must be restored to a volume of the same size, or larger, and of the same type.

To prepare for a logical restore, the media should be wiped, FDISKed, partitioned, and formatted prior to restore. Format to the same format as the evidence file volume you are about to restore. FAT32 to FAT32, NTFS to NTFS, etc.

To restore a drive, logically

1) Select the logical volume you want to restore beneath the Case tab. Right-click on it and choose RESTORE DRIVE... from the pop-up menu. You will see a dialogue box like the following.

2) Again we will choose "Local Devices" to restore to. "Volumes" is checked by default. Hit the NEXT button.

3) You will see a list of drives you are able to restore the logical volume to. Notice that you can restore to your own C: drive, so be careful! Hit NEXT when done selecting.

4) This screen is similar to the physical restore screen above. You can most likely go with all the defaults on this screen. Hit FINISH.

5) You will have to type "YES" to confirm the restore. A status bar will display the progress of the restore.

When the logical restore is finished, a confirmation message will be displayed. The computer must be restarted to allow the restored volume to be recognized. Note that the restore volume contains only the information that was inside the selected partition.