±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36618
New Yesterday: 10 Visitors: 267

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Imaging software

Discussion of computer forensics employment and career issues.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4, 5  Next 
  

farmerdude
Senior Member
 

Re: Imaging software

Post Posted: Feb 12, 06 01:54

Andy,

The EnCase acquisition engine is capable of writing a raw image file format (very much like 'dd' does). I understand the default is E01, but you can elect a raw format. I do not own EnCase so I am unaware of how you select the raw image option, but I can't imagine it's buried too deep?

So, if the program you choose to analyze image files with is EnCase, that is fine, but that doesn't substantiate choosing the proprietary E01 format over the raw format EnCase is capable of producing. Simply select the raw image format.

With regards to compression, the capability for compressing on the fly is there for the raw image format as well, be it 'dd' syntax piped to compression program, dcfldd variant, or SMART for Linux. I'll presume Guidance Software would include the capability to compress their raw image format in their acquisition engine as well. Verified?

You don't have to use Linux, nor a 'dd' command or equivalent. Use EnCase and dump to the raw format. Which version of EnCase are you using? Does yours not support writing to the raw format?

From Guidance's site:

"EnCase Linen Utility: The Linen utility is a Linux version of the industry standard DOS-based EnCase acquisition tool. While it performs the same basic function as the DOS version, it overcomes a number of limitations, such as non-Windows operating systems, extremely large hard drives and speed of acquiring data."

Their words, not mine. I hope your agency is aware of these and have protocols in place.

I am not arguing, but your last line "and for the above reasons this proprietary image fiile format (EnCase) is better for me" I don't feel answers my question, nor does it substantiate writing an E01 versus a raw image.

What you've mentioned is invested money in a product and company, not an image file format. You've made mention of prevelance of Win32 over Linux in your area and others. But again, that has nothing to do with image file formats. What I'm asking for is WHY write an E01 and not a raw image, using that same tool? Additionally, what benefits does the proprietary E01 provide to you?

regards,

farmerdude  
 
  

farmerdude
Senior Member
 

Re: Imaging software

Post Posted: Feb 12, 06 01:59

Uh, where did Andy's post go?!?!

LOL

farmerdude  
 
  

jamie
Site Admin
 

Re: Imaging software

Post Posted: Feb 12, 06 17:42

Is there a missing post, Andy? farmerdude?

Jamie  
 
  

Andy
Senior Member
 

Re: Imaging software

Post Posted: Feb 13, 06 18:48

Ooooh crap .... I accidentally deleted it instead of editing a typo Embarassed . I was trying to access it from my PDA.

Bugger, it was a long one too... Sorry Thomas, Jamie.

In answer to the question, why do I not use a raw file format with EnCase, is because it doesn't allow the imaging to anything other than an E01 file (versions 3,4, or 5). It does allow the 'adding' of a raw DD image file into a case.

I guess its a simple matter of it being quicker to image to the E01 file format using my current setup. I have never yet been asked by any defence expert or other examiner to provide a DD format.

Andy  
 
  

farmerdude
Senior Member
 

Re: Imaging software

Post Posted: Feb 13, 06 22:25

Andy,

Yes, I saw your post and was replying, then POOF - gone! LOL

Well, given the fact that EnCase cannot write an image file to the open format, what does that tell you about the product and company?

Odd, AccessData, Paraben, ASR Data, and even iLook all support multiple image file formats - writing them, including the open/raw format. I wonder why Guidance Software doesn't include write support for the raw format in their product?

Questions still on the table, what benefit does the E01 provide for you? (Versus the detractions I already stated above.) And why would you (anyone) choose a product that locks you in to that single, proprietary format?

regards,

farmerdude  
 
  

Andy
Senior Member
 

Re: Imaging software

Post Posted: Feb 14, 06 13:34

I stand corrected over EnCase not being able to produce a raw image. Apparently it can be done, but its not a published method. A past post on the Digital Detective forum describes how its done. The examiner managed to create an exact binary image of the entire physical view in EnCase. So you are quite right in saying it can be done.

Andy  
 
  

youcefb9
Member
 

Re: Imaging software

Post Posted: Feb 14, 06 16:53

if it is not published how can you be sure it is accurate and are you willing to use it in court of law?

if EnCase are not clear enough on this I wouldnt touch it unless I am prepared to get bitten by it.  
 

Page 3 of 5
Page Previous  1, 2, 3, 4, 5  Next