Introduction

HstEx® provides native support for a number of different source data types such as:

• Forensic image file formats such as EnCase® e01, ex01
• Segmented and monolithic raw image files
• Binary data dumps, memory dumps and mobile phone dumps
• Direct sector access to physical / logical devices

Forensic Recovery Methodology

We are often asked about the best methodology to employ for ensuring as much data is recovered as possible. HstEx® and NetAnalysis® deal with data in different ways and are designed to perform different roles; it is important that both tools are employed in a forensic examination. If you do not use both tools, you will miss evidence! HstEx® was designed for the recovery of deleted data, and data which may not necessarily be resident in live files. To understand the possible locations of data on the file system please see: File System Data Recovery.

Processing a Mounted Image with HstEx

HstEx® has native support for all of the major image file formats. As such, nothing is to be gained by mounting an image and then processing it with HstEx®. In fact, this process has a number of potential flaws and will be extremely slow. The only time you should mount an image and process the physical/logical device is when your image file is in a format not supported by HstEx®. Typically, the processing speed for accessing a supported image directly can be as much as 10 times faster!

Processing Unallocated Space Only

We are often asked whether the recovery should be performed only against unallocated clusters or unallocated space. This is also something we do not recommend. If only the unallocated clusters are processed, this leaves a potentially large area of the original source which may contain vital evidence. It is for this reason that HstEx® processes the entire source as a linear stream searching each sector in turn.

Please see File System Data Recovery for further information about the different areas of the file system which could contain evidence.