Notifications
Clear all

Optimum E01 split  

  RSS
mrmoo28
(@mrmoo28)
New Member

Hi all,

Just wondering if there was an optimum E01 file split size? In a previous company, we were instructed to set the E01 split at 2000/2048MB, however in my current company the standard seems to be to split at 1024MB.

Is there any optimum, or what factors are to be considered when deciding what size to split at? Or…. does it not really make much difference?

Thanks!

Quote
Posted : 06/11/2014 5:20 pm
keydet89
(@keydet89)
Community Legend

Why split at all?

ReplyQuote
Posted : 06/11/2014 5:48 pm
mrmoo28
(@mrmoo28)
New Member

Why split at all?

Good question too - when I worked in eDiscovery in my previous job, we'd be splitting the E01s at acquisition, however when creating an L01 (or AD1 in some cases) for ingest into Nuix for data processing, we would ensure that it wasn't split at all!

Any further comments would be appreciated, just to satisfy my curiosity.

ReplyQuote
Posted : 06/11/2014 6:31 pm
4n6art
(@4n6art)
Active Member

I'm with KeyDet. Why split it?

The split option if I am not mistaken was when we did not have big-b**t flash and hard drives so they could be burned to removable media. If you do not have a specific need to split your E01x I would keep it as one big file.

-=Art=-

ReplyQuote
Posted : 06/11/2014 8:40 pm
mrmoo28
(@mrmoo28)
New Member

Are there overheards then as a result of splitting the files? Say read access in EnCase, would it significantly improve if it's just one large file?

Thanks

ReplyQuote
Posted : 06/11/2014 8:52 pm
keydet89
(@keydet89)
Community Legend

I'm not looking so much at performance/overhead, as simply the reason for splitting files in the first place.

I know that this used to be something that folks would do, particularly LE, as the images would be split into whatever the current serviceable size for CDs or DVDs might be. However, given the cost of storage, I'm not really sure that's much of an issue any longer.

I tend to go with a single raw/dd format file whenever I can, for simplicity sake and because it gives me the greatest possible range of compatibility.

ReplyQuote
Posted : 06/11/2014 10:32 pm
C.R.S.
(@c-r-s)
Active Member

It's handy for any sort of portability using space on smaller hard drives and network transfers which do not support resuming connections.
Let's say your network protocol supports resuming Afterwards, the hash may indicate that your file is broken anyway - a 4 TB image, not one of more than 1.000 split files. The required hashing (file based, not image vs. source, of course) breaks down to individual split files, too.

ReplyQuote
Posted : 06/11/2014 11:12 pm
Share: