Hi
1)I wonder why scalpel and foremost tools cannot recover file from E01 file format(Not support E01 file format)?
2)Is it possiby to create python script to recover jpg file from E01 file format? if yes How?
I know that
# Headers for jpeg carving
jpg_Header = b'\xFF\xD8\xFF'
jpg_Footer = b'\xFF\xD9'
Hi
1)I wonder why scalpel and foremost tools cannot recover file from E01 file format(Not support E01 file format)?
2)Is it possiby to create python script to recover jpg file from E01 file format? if yes How?
I know that
# Headers for jpeg carving
jpg_Header = b'\xFF\xD8\xFF'
jpg_Footer = b'\xFF\xD9'
The E01 (actually) EWF file format is a compressed format.
Not entirely unlike you won't be able to carve a jpg header from a .zip archive.
You need to mount it in uncompressed form or convert it to dd-like in order to carve it.
jaclaz
Thanks for your answer
Yes, I usually convert E01 to dd via FTK Imager and run scalpel or foremost.
I add my E01 in Autopsy and FTK Imager I could recover most files not all !
The question is it’s possible to create python to recover files from E01 programmatically?
Whilst I haven't done it, you can likely use DFVFS to write a python script and then perform file carving. HECFBlog has a whole series on building the functionality to interact with images via DFVFS
The question is it’s possible to create python to recover files from E01 programmatically?
That is not a question.
Of course it is possible.
How many hours/days/weeks/months/years of experience with python scripting and dealing with E01/EWF images are a basic prerequisite?
and
How long will it take to write such a python script to a quaified developer?
are actual questions.
randomaccess correctly mentioned the dfvfs
https://
which is one way to "mount" virtually an EWF to access the uncompressed contents.
But from that to making a working carver is a loong way IMHO.
Another pointer for you
https://www.forensicfocus.com/Forums/viewtopic/t=15514/
Personally I would rather first try with existing and tested tools.
jaclaz
Thanks randomaccess and jaclaz