| <<< Advanced: Partition Information | Index | Advanced: Removing Recovered Partition >>> |
Follow step-by-step instructions on pages 230-237 of the EnCase student's guide.
In brief, the steps are (example using CBarrow.E01 image):
In Tree view, click Entries -> Home.
In Table view, click Volume Slack.
In Table view, switch to Disk view. You should be looking at PS 3894911.
In Detail view, click Hex -- this displays 512 bytes of the NTFS backup VBR sector of the volume C:
Observe VBR signature "NTFS" at sector offset 3 from the beginning of the sector. Also, observe 55 AA at the end of the sector.
In Table view, switch to Disk view. Move to the next sector, PS 3894912.
Observe again that sector 3894912 conains 55 AA signature at the end of the sector. However, this is not a VBR, because no label such as NTFS, or MSWIN4.0, or MSWIN4.1, or MSDOS5 is present at the beginning of the sector.
Therefore, this is likely a sector that contains an extended partition information.
In detail pain, in hex view of this sector, go to offset 446, and select the 64 bytes of the extended partition table.
Right-click and bookmark the selected extended partition table as Partition Entry bookmark.
Observe the results. The first entry indicates a FAT32 volume beginning at PS 3894975.
Using Table view/Disk view, go to sector PS 3894975.
In Detail view, observe MSWIN4.0 label at the beginning of sector 3894975, as well as 55 AA at the end of the sector.
In Table view, Disk view, right-click on the square of sector PS 3894912, and select Add Partition.
Accept the defaults and rebuild the volume.
| <<< Advanced: Partition Information | Index | Advanced: Removing Recovered Partition >>> |