±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 36489
New Yesterday: 5 Visitors: 155

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Encase verification errors E01 image, Imaged using Guymager

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

klllmmm
Newbie
 

Encase verification errors E01 image, Imaged using Guymager

Post Posted: Dec 15, 19 03:07

Hi there,

I took a disk image using Guymager 0.8 application via CAINE Linux live distro and the verification was successful.

[img]https://1drv.ms/u/s!An03iU493hAgnj-0La5YzBnbmTx_?e=aV31xe[/img]

However, when I verify the image with Encase (v8.09) it results differences in hash values.

[img]https://1drv.ms/u/s!An03iU493hAgnkCAAwY71LsKlBev?e=B5roJd[/img]

Also at the time, I add the evidence I get the following errors

[img]https://1drv.ms/u/s!An03iU493hAgnkHdET5xR9nMZH9G?e=EqXxq5[/img]

Errors are;
Error in “Header” : String cannot be longer than 12 characters
Error in “Header” : String cannot be longer than 64 characters
Invalid date Value

Appreciate it if someone can tell why and how to avoid such Encase verification errors, and why such errors occur when adding the evidence into Encase.

Thanks  
 
  

UnallocatedClusters
Senior Member
 

Re: Encase verification errors E01 image, Imaged using Guyma

Post Posted: Dec 15, 19 20:03

1. Verify the image files using Guymager or another tool. It has been my experience that different tools can generate different MD5 hash values for the same exact evidence source; I have no explanation as to why this occurs but it does.

2. Open the image file with FTK Imager (green plus sign), mount the image file with OSForensics, and see if other tools can open, mount and interact with your image file. If no tool at all can open nor mount your original image file, it may have become corrupted.

Our best practice is to create and verify 2nd copies of forensic images to completely separate media in the event one drive holding a copy of the forensic image fails. If you have followed this best practice, try to verify, mount, open your second image copy.  
 
  

Rich2005
Senior Member
 

Re: Encase verification errors E01 image, Imaged using Guyma

Post Posted: Dec 16, 19 10:45

I was going to type that this is simply a difference between the implementations of the EWF/E01/EXX format....and I'm sure I've seen this over the years, without being a problem, as the data still verified, despite the incompatibilities reading the header information in the tools.
What I find strange is the fact you're getting different verification MD5/SHA results. Without referring to manuals I believe the hashes should be of the data rather than the metadata in the E01 and therefore everything should match....assuming your data is intact.
I'd verify it using another tool (like FTK imager or X-Ways if you have that) and see if the MD5/SHA results tally with your original Guymager hashes. If those tools match your original hashes it would seem to indicate that it's a compatibility problem in EnCase.
If you don't get a match with those tools - I'd verify using Guymager (if possible - can't remember if you can instruct it to do that) - just to check there's not been data corruption subsequent to imaging.  
 
  

minime2k9
Senior Member
 

Re: Encase verification errors E01 image, Imaged using Guyma

Post Posted: Dec 16, 19 10:58

We use Guymager for most of our imaging, though we don't use Encase but haven't encountered this problem yet.

Try using EWFverify from the CAINE distribution on the image, Guymager won't let you just verify an image AFAIK, and check the hashes after that.

I take it the image was created on a hard disk and then that hard disk was transferred to a machine for investigation?  
 
  

JimC
Senior Member
 

Re: Encase verification errors E01 image, Imaged using Guymager

Post Posted: Dec 18, 19 09:10

- klllmmm


[img]https://1drv.ms/u/s!An03iU493hAgnkHdET5xR9nMZH9G?e=EqXxq5[/img]

Errors are;
Error in “Header” : String cannot be longer than 12 characters
Error in “Header” : String cannot be longer than 64 characters
Invalid date Value



The EWF / E01 file format is not very well specified and different products implement it subtly differently. The "header" section of the image file contains case information (case number, examiner name, acquisition dates etc). This information is stored in a relatively loose text format. According to Joachim Metz's work EnCase imposes some limits on how long some of the text fields can be. These limits are not strictly necessary according to the format. I would suspect that Guymager doesn't know this and isn't trying to create an EnCase "compatible" file. You could work around this by setting using shorter text descriptions when creating the image. See:

github.com/libyal/libe...der_values

Provided the image worked in every other respect, I wouldn't be too concerned about the EnCase errors. However, the different hash values are a different issue and maybe a sign of a more serious problem acquiring/verifying the image.

Jim

www.binarymarkup.com  
 

Page 1 of 1