ProDiscover® supports analysis of "dd" images on supported file systems for forensics examiners using UNIX "dd", or the Win32 "dd" port to create physical or logical images.
UNIX style "dd" images can be added to projects. If the "dd" image is split into several images they should be numbered sequentially and all contain a .eve or any other desired file extension. Once the image files are named and numbered correctly a corresponding *.pds file should be created in the following format:
DD-SplitImage
Split0.eve
Split1.eve
Split2.eve
Split3.eve
Split4.eve
Note that all split image file should be split in sizes which are multiples of 512. To add the split "dd" image users should select the split.pds file created above.
To add a UNIX "dd" image:
Ensure your "dd" image has the file extension ".eve".
Launch ProDiscover®.
Select open project tab option.
Select the project file to open and click Open button.
ProDiscover® opens the project file and generates a template report in the work area.
Select the Add Image option from the action menu, or tree-view. Users may also right-click on "Disks", "Images" or "Remote Drives" from Content-view to add a disk, image or remote drive to the project.
ProDiscover® presents the file open dialog.
Select the desired image file and Click Open button.
ProDiscover® then adds the image file to the currently active project.