EnCase allows an investigator to restore evidence files to prepared media. An investigator might do this to see the Subject’s environment as the Subject himself saw the media. Restoring media, however, can be challenging. Read this page carefully before attempting your first restore.

Alert!: DO NOT boot up the Subject’s drive! Do not boot up your forensic hard drive with the Subject drive attached! You already have an image of the Subject’s hard drive. There is no need to touch the original media at all. Remember, it is still evidence!

Physical vs. Logical Restore

EnCase allows the investigator to restore either a logical volume or a physical drive.

• A logical volume is a volume that does not contain a Master Boot Record (MBR) or the Unused Disk Space.
• A physical volume contains the Master Boot Record and the Unused Disk Space. The Unused Disk Space, however, is typically not accessible to the user.

Most often, when complying with discovery issues, one must perform a physical restore, not a logical one. Logical restores are less desirable as they cannot be verified as an exact copy of the Subject media. When a drive is restored for the purposes of booting the Subject machine, a physical restore is the correct choice.

Whether restoring a drive physically or logically, restore the evidence files to a drive slightly bigger than the original Subject hard drive. For example, if restoring a 2-gig hard drive image, restore the image to a 2 to 4-gig hard drive. Restoring media to a drive that is substantially bigger than the Subject media can prevent the restored clone from booting at all, possibly defeating the purpose of the restore.

Preparing the Target Media

Preparation of the Target media, the media to which the image is going to be restored, is essential for a forensically-sound restore. Whether restoring logically or restoring physically, prepare the Target media by:

1. The Target media must be wiped.
2. For logical restores, the Target media must be partitioned and formatted with the same file-type system as the volume to be restored to: FAT32 to FAT32, NTFS to NTFS, etc.
3. For physical restores, partition, or format the hard drive. bring up EnCase and restore the image, physically, to the Target media.

Physical Restore

Restoring a physical drive means that EnCase will copy everything, sector-by-sector, to the prepared Target drive, thereby creating an exact copy of the Subject drive. The target drive should be 2 to 4 gigabytes larger than the Subject's hard drive. When EnCase completes the restore it will provide the hash values verifying that the lab drive is an exact copy of the Subject drive. If a separate, independent MD5 hash of the lab drive is run, be certain to choose to compute the hash over only the exact number of sectors included on the suspect's drive so that the MD5 hash will be accurate.

Following good forensic practices, wipe target hard drives before restoring images to them. EnCase will overwrite any data on the target hard drive with the data from the image, and you can opt to overwrite the remaining sectors (the unused portion of the drive) with any hex character of your choice (00 hex being the default).

To restore a drive, physically:

1. Right-click on the evidence file icon under the Cases tab in v4 or the Entries Tab in v5 and select Restore… from the pop-up menu.

 
• V5
  
  
  
   
• V4
  
  

2. Select the destination drive from the list of possible destination devices to restore the physical disk to. Click NEXT.

3. Select the drive to restore the image to. EnCase does not allow the investigator to restore to Drive 0 as this is typically the drive the operating system is installed on. If your operating system is running on a separate SCSI drive, EnCase will still not allow you to restore to IDE 0. If your prepared Target media is Drive 0, another drive will have to be added to the system (as a Master) to hold the restored image. Select the drive to restore the image to and click NEXT.

4. Target hard drives should be larger than the original Subject hard drive. Therefore, the restored data will never address all sectors on the Target hard drive. EnCase can wipe the remaining sectors of the Target hard drive after the actual data from the evidence file is restored. Wiping remaining sectors is recommended.
   
   EnCase can also run a verify on the restored sectors to confirm that it is indeed a sector-by-sector copy of the original Subject media. Again, we recommend that you leave this checked.

Sometimes the Convert Drive Geometry option is grayed-out, other times not. This is entirely dependent on the drive geometry of the original drive in comparison to the restore drive. Drive geometries are of certain "types". Every drive has a certain Cylinders-Heads-Sectors (CHS) drive geometry information. If the Heads and Sectors of the original drive imaged are identical to the target restore drive, then the drives are of the same "type" and the "Convert Drive Geometry" check-box will not be available. If the drives are of different types (as in, the heads-sectors settings are different), then the "Convert Drive Geometry" check-box will be available.

For physical restores, check the Convert Drive Geometry check-box if it is available.

Click FINISH when done.

5. EnCase forces you to confirm that you want to restore to the designated drive. Type YES in the field then click the YES button.

The physical restore begins. When the restore is finished, a verification message is displayed such information as any read or write errors and the hash values for both the evidence file and the restored drive. They should match.

If the hash values from the restore do not match, restore the evidence file again following the procedures above. It might be necessary to swap the Target media for correct results.

Logical Restore

Restoring a logical volume requires different preparation. Media have different "types" depending on the CHS (cylinders-heads-sectors) information. The same type might have different "cylinders" settings, but their heads and sectors information (the HS in CHS) will be the same. If the heads-sectors information is different, then you have media of a different type and should find another target restore hard drive. A logical volume must be restored to a volume of the same size, or larger, and of the same type.

To prepare for a logical restore, the Target media should be wiped, partitioned, and formatted prior to restore. Format the Target drive with the same file-type system as the volume to be restored: FAT32 to FAT32, NTFS to NTFS, etc.

To restore a drive, logically:

1. Select the logical volume you want to restore beneath the Cases tab in v4 or the Entries tab in v5. Right-click on it and choose RESTORE DRIVE... from the pop-up menu. A dialog box will appear.
   • V5
     
     
   • V4
     
     

You can only restore locally

2. Highlight "Local Drives" to restore to. Click NEXT.
   
   

3. You will see a list of drives you are able to restore the logical volume to. Blue-Check the appropriate drive and click NEXT.

Select the local media to restore to

4. The restore options are similar to the physical restore screen above. Click FINISH.

5. Type "YES" to confirm the restore. A status bar will display the progress of the restore.

When the logical restore is finished, a confirmation message will be displayed. The computer must be restarted to allow the restored volume to be recognized. Note that the restore volume contains only the information that was inside the selected partition. 

Booting the Restored Hard Drive

The restore finished with no errors. Remove the Target hard drive from the Storage system and place it into a test system. Switch the power on. Depending what operating system the Subject ran, the test system should now be booting up exactly as the Subject computer.

There are quite a few difficulties that can occur at this stage of the investigation. The most common is that the clone of the Subject drive will not boot. Before trying anything else, check the restored disk using FDisk and verify it is set as an Active drive. If not, set the drive as Active and this should enable it to boot. Otherwise, go to the Troubleshooting chapter of this manual.