Why scalpel cannot ...
 
Notifications
Clear all

Why scalpel cannot recover file from E01 file format  

  RSS
Tony75
(@tony75)
Junior Member

Hi

1)I wonder why scalpel and foremost tools cannot recover file from E01 file format(Not support E01 file format)?

2)Is it possiby to create python script to recover jpg file from E01 file format? if yes How?
I know that
# Headers for jpeg carving
jpg_Header = b'\xFF\xD8\xFF'
jpg_Footer = b'\xFF\xD9'

Quote
Posted : 20/04/2020 2:11 pm
jaclaz
(@jaclaz)
Community Legend

Hi

1)I wonder why scalpel and foremost tools cannot recover file from E01 file format(Not support E01 file format)?

2)Is it possiby to create python script to recover jpg file from E01 file format? if yes How?
I know that
# Headers for jpeg carving
jpg_Header = b'\xFF\xD8\xFF'
jpg_Footer = b'\xFF\xD9'

The E01 (actually) EWF file format is a compressed format.

Not entirely unlike you won't be able to carve a jpg header from a .zip archive.

You need to mount it in uncompressed form or convert it to dd-like in order to carve it.

jaclaz

ReplyQuote
Posted : 20/04/2020 2:34 pm
Tony75
(@tony75)
Junior Member

Thanks for your answer
Yes, I usually convert E01 to dd via FTK Imager and run scalpel or foremost.
I add my E01 in Autopsy and FTK Imager I could recover most files not all !
The question is it’s possible to create python to recover files from E01 programmatically?

ReplyQuote
Posted : 20/04/2020 6:15 pm
randomaccess
(@randomaccess)
Active Member

Whilst I haven't done it, you can likely use DFVFS to write a python script and then perform file carving. HECFBlog has a whole series on building the functionality to interact with images via DFVFS

ReplyQuote
Posted : 21/04/2020 1:32 am
jaclaz
(@jaclaz)
Community Legend

The question is it’s possible to create python to recover files from E01 programmatically?

That is not a question.

Of course it is possible.

How many hours/days/weeks/months/years of experience with python scripting and dealing with E01/EWF images are a basic prerequisite?
and
How long will it take to write such a python script to a quaified developer?

are actual questions.

randomaccess correctly mentioned the dfvfs
https://github.com/log2timeline/dfvfs/wiki
which is one way to "mount" virtually an EWF to access the uncompressed contents.

But from that to making a working carver is a loong way IMHO.

Another pointer for you
https://www.forensicfocus.com/Forums/viewtopic/t=15514/

Personally I would rather first try with existing and tested tools.

jaclaz

ReplyQuote
Posted : 21/04/2020 10:00 am
Tony75
(@tony75)
Junior Member

Thanks randomaccess and jaclaz

ReplyQuote
Posted : 21/04/2020 12:16 pm
Share: