Why scalpel cannot ...
 
Notifications
Clear all

Why scalpel cannot recover file from E01 file format

6 Posts
3 Users
0 Likes
1,767 Views
(@tony75)
Posts: 33
Eminent Member
Topic starter
 

Hi

1)I wonder why scalpel and foremost tools cannot recover file from E01 file format(Not support E01 file format)?

2)Is it possiby to create python script to recover jpg file from E01 file format? if yes How?
I know that
# Headers for jpeg carving
jpg_Header = b'\xFF\xD8\xFF'
jpg_Footer = b'\xFF\xD9'

 
Posted : 20/04/2020 1:11 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Hi

1)I wonder why scalpel and foremost tools cannot recover file from E01 file format(Not support E01 file format)?

2)Is it possiby to create python script to recover jpg file from E01 file format? if yes How?
I know that
# Headers for jpeg carving
jpg_Header = b'\xFF\xD8\xFF'
jpg_Footer = b'\xFF\xD9'

The E01 (actually) EWF file format is a compressed format.

Not entirely unlike you won't be able to carve a jpg header from a .zip archive.

You need to mount it in uncompressed form or convert it to dd-like in order to carve it.

jaclaz

 
Posted : 20/04/2020 1:34 pm
(@tony75)
Posts: 33
Eminent Member
Topic starter
 

Thanks for your answer
Yes, I usually convert E01 to dd via FTK Imager and run scalpel or foremost.
I add my E01 in Autopsy and FTK Imager I could recover most files not all !
The question is it’s possible to create python to recover files from E01 programmatically?

 
Posted : 20/04/2020 5:15 pm
(@randomaccess)
Posts: 385
Reputable Member
 

Whilst I haven't done it, you can likely use DFVFS to write a python script and then perform file carving. HECFBlog has a whole series on building the functionality to interact with images via DFVFS

 
Posted : 21/04/2020 12:32 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

The question is it’s possible to create python to recover files from E01 programmatically?

That is not a question.

Of course it is possible.

How many hours/days/weeks/months/years of experience with python scripting and dealing with E01/EWF images are a basic prerequisite?
and
How long will it take to write such a python script to a quaified developer?

are actual questions.

randomaccess correctly mentioned the dfvfs
https://github.com/log2timeline/dfvfs/wiki
which is one way to "mount" virtually an EWF to access the uncompressed contents.

But from that to making a working carver is a loong way IMHO.

Another pointer for you
https://www.forensicfocus.com/Forums/viewtopic/t=15514/

Personally I would rather first try with existing and tested tools.

jaclaz

 
Posted : 21/04/2020 9:00 am
(@tony75)
Posts: 33
Eminent Member
Topic starter
 

Thanks randomaccess and jaclaz

 
Posted : 21/04/2020 11:16 am
Share: