Virtual File System (VFS)

VFS enables you to mount evidence as a read-only, offline network drive. As such, the mounted volume is available in Windows and can be browsed with Windows Explorer or examined by third-party tools. VFS is no longer a separately purchased module but rather included in EnCase 7, thus providing added functionality with the basic software package.

EnCase treats the unallocated clusters as though they were logical files, and when the evidence volume is mounted, the unallocated clusters are addressable within Windows. As an added bonus, all deleted files and folders are available as well. Figure 10-59 shows an EnCase evidence image that has been mounted using VFS and is then available as a network drive in Windows. The unallocated ...

Get EnCE EnCase Computer Forensics: The Official EnCase Certified Examiner Study Guide, 3rd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.