.E01 File Hard-drive problems in Federal Criminal Case?
Hello Forum members,
I am working on a federal criminal court case for the defense and the government has provided us with a hard-drive in the disclosure proceedings that shows up as a .E01 file.
We have been unable to open the file using FTK imager software and do not own the Encase Forensic software.
The FTK Imager software will "mount" the .E01 file as a separate drive to the computer, and shows the root file structure, but when trying to open any folders and look into the files the system says we do not have the permission to do so. Myself and a few other people, one of whom is a windows programer, has tried with no success to get past this point on several different machines.
We received the drive with no information on how it was created or how to access the information. My first round of research led me to believe that .E01 was a proprietary format that required the purchase of Encase software at $3600 to access the data but after speaking with Encase a second time, I was told that Encase (or the parent company) created the .E01 file format, but since it has become an "industry standard" other programs like the free FTK Imager should be able to access the files without issue.
Am I correct to believe that .E01 is now a widely used file format with multiple programs existing to create and access these files? Is there anyway to tell what software was used in this specific case, as to give us a better shot of successfully opening it with this same software?
If anyone has encountered similar issues or has any insight into how to get into this drive that would be great
What mount method in FTK Imager are you using? If you haven't tried already, try mounting the image as "File System / Read Only" rather than "Block Device / Read Only".
The FTK Imager software will "mount" the .E01 file as a separate drive to the computer, and shows the root file structure, but when trying to open any folders and look into the files the system says we do not have the permission to do so.
You should have said exactly how you attached the image. Did you use 'Add Evidence' or 'Image Mounting'?
I suspect the latter. In this case, FTK will basically hand it over to Windows, which will then proceed to apply all the usual access restrictions as if it was a normal hard drive. And if the volume doesn't allow access from unknown users – basically, your Windows user is not one of those that used to access the file in the original computer. So … just as you do with foreign NTFS volumes, you take ownership of all the files/directories in order to bypass that. (You need to be admin for that. And you need to take the usual precautions, of course.) You can check this by using Isobuster to access the image file (though I don't offhand remember if it is possible to do in the free version, or if you need to buy a license.)
You should also be able to open it as evidence (Add Evidence); FTK will then bypass all those access restrictions and show you the information as FTK provides it. However, this way you can't use Windows tools to examine image contents.
You can also use other tools that both mount the image and bypasses access restrictions. The Arsenal tool has already been mentioned; there's also Mount Image Pro and other commercial offerings – don't discount the possibility to get a support line. It can be worth many times the license costs.
Step 1 Download and install Autopsy The Sleuthkit http//www.sleuthkit.org/autopsy/download.php
Step 2 Create a new case in Autopsy and add the E01 file to the newly created case and wait until Autopsy has processed and indexed the E01 file.
Autopsy The Sleuthkit is a free to use forensic analysis tool which will allow you to perform key word searches and other analysis of the E01 file you were provided with.
HINTS You will want to install Autopsy to your "C" drive, but create the new case on a hard drive separate and distinct from your "C" drive. For example, you could purchase an external USB 3.0 drive (not 2.0!!!), plug the newly purchased drive into your computer running Autopsy, and then create the new Autopsy case on the newly purchased drive.
Ideally your E01 forensic image file will reside on a third hard drive connected to your computer running Autopsy; separating your "C" drive from the drive holding the Autopsy database and the drive holding the E01 file will vastly speed up the entire process
DRIVE #1 "C" Drive - holds your Windows operating system and Autopsy installed program
DRIVE #2 "E" Drive - holds your Autopsy database
DRIVE #3 "F" Drive - holds your E01 evidence file.
Thanks for all your replies, this is extremely helpful moving forward.
Athulin - Yes you are correct, I tried to access it through "Image Mounting" and your explanation of what's going on here makes perfect sense.
I'm going to also play around with Arsenal and The Sleuth kit. This is a first for us, and since we are short staffed and don't have any budget for a trained forensic analyzer to help out, it is very welcome news to know that there are multiple software options out there that don't require us to buy Encase!
You can also convert the .E01 to a RAW image (as an example using the FTK imager that you already have)
Of course the NTFS permissions issues will remain the same, depending on your needs you can use however a number of softwares to extract files besides changing permissions (thus altering the image).
Converting the image is optional, but it allows to have more different software available, as *every* related software will support RAW images, while only a subset support .E01 format.