I think this is a simple question, I am not getting anything from Google searches about it though.
Are .001 and .dd files the same thing. When I use FTK Imager to convert a .E01 file into a RAW file in order to use it in other applications it gives it the .001 file extension. I thought this should be .dd. Can I just manually change the file extension from .001 to .dd.
Below is the FTK Imager report in case any of that info is important to the question
Case Information
Acquired using ADI4.1.1.1
Case Number CIS445-Final
Evidence Number 001-pc
Unique Description
Examiner Chris Kincaid
Notes
————————————————————–
Information for D\EncaseFiles002\final problem\RAW002\cfreds_2015_data_leakage_pc
Physical Evidentiary Item (Source) Information
[Device Info]
Source Type Physical
[Verification Hashes]
MD5 verification hash a49d1254c873808c58e6f1bcd60b5bde
SHA1 verification hash afe5c9ab487bd47a8a9856b1371c2384d44fd785
[Drive Geometry]
Bytes per Sector 512
Sector Count 41,943,040
[Image]
Image Type E01
Case number 0x11
Evidence number 0x01
Examiner dForensics_Team
Notes data_leakage_case
Acquired on OS Windows 7
Acquired using 7.10
Acquire date 4/23/2015 105822 AM
System date 4/23/2015 105821 AM
Unique description cfreds_2015_data_leakage_pc
Source data size 20480 MB
Sector count 41943040
[Computed Hashes]
MD5 checksum a49d1254c873808c58e6f1bcd60b5bde
SHA1 checksum afe5c9ab487bd47a8a9856b1371c2384d44fd785
Image Information
Acquisition started Sat Dec 8 174641 2018
Acquisition finished Sat Dec 8 175620 2018
Segment list
D\EncaseFiles002\final problem\RAW002\cfreds_2015_data_leakage_pc.001
When I use FTK Imager to convert a .E01 file into a RAW file in order to use it in other applications it gives it the .001 file extension. I thought this should be .dd.
'Raw (dd)' is the Destination Image Type. The extension used for those images is .001, .002, .003, … and so on, depending on the Image Fragment Size
FTK Imager is not at all confident about file names and file name extensions. If you give the destination image the same file name (excluding extension) as a file in the same catalogue, you'll get a warning that you may overwrite a file in the destination directory. That is, the tool that should know if that happens or not only tells you that it may happen. And nowhere in the dialogue box sequence does it tell you what file name extension will be used. Very irritating.
Can I just manually change the file extension from .001 to .dd.
Sure. (Added If you have any kind of paper trail saying that xxx.001 was your output file, you better keep that extension. Or you add your own trail piece that says that you have renamed it. Otherwise the absence of a .001 file and the presence of a .dd file might be considered suspicious.)
Re-reading my question, I feel I need to explain that I totally understand a file extension and a format are not the same thing. I was concerned that .001 and .dd were actually indicators of different RAW formats, but after some reading and some poking around figured out they appear to be the same thing. One is more Windows, and the other is more Linux, but they both may show up in either.
Sure. (Added If you have any kind of paper trail saying that xxx.001 was your output file, you better keep that extension. Or you add your own trail piece that says that you have renamed it. Otherwise the absence of a .001 file and the presence of a .dd file might be considered suspicious.)
This being a popular assignment given in forensic classes, I was able to find an exact copy online and download it on my forensic system. It had the .dd extension. Because it is a large file, I was also having trouble moving it over the internet as I am having to work from home and login in to my system through teamviewer.
Searching Google for your evidence file would obviously never be a solution in a real world situation. My paper trail is also make-believe, so, I have the freedoms to write it as I like without any real implications. I do hope to do this type of work in the real world someday very soon, so I seriously appreciate the paper work trail comment. That is obviously extremely important, and is just as obviously, not being considered enough in my course setting. We do not even have a chain of custody log or anything.
Thank you for the reply!
They are the same, there is no such thing as more windows/linux and a RAW image is not a brand's (AccessData) property.
Exactly D .
And I would add how specifically RAW is not a "format", on the contrary it is essentially a non-format, a RAW image represents byte by byte the contents of the *whatever* was imaged.
It could be a floppy, or a whole hard disk or only a volume/partition but - besides the source device nature - its contents may be *anything*.
I.e. normally a whole hard disk image has as first sector either a MBR code and a partition table or a 00ed code and a single protective MBR entry (GPT disk) both terminated by last bytes 55AA.
As well, an image of a floppy or of a volume/partition would normally as well have as first sector a bootsector (or PBR/VBR) as well terminated by last bytes 55AA.
But nothing prevents from directly writing, starting from LBA0 the whole Bible or the commented works of Shakespeare[1] on a hard disk.
When you examine the RAW image of that disk, it won' t be recognized by *any* automagical tools, opening it in a hex editor may help you understand what the contents are.
jaclaz
[1] which
That which we call a rose. By any other name would smell as sweet.
could well be paraphrased
That which we give an extension of .dd or .001 or .mickeymouse. By any other extension remains a RAW image (if it is a RAW image).
A paper trail for the renaming is easy, and if someone is worried about their paper notes being insufficient, then in a Linux terminal perform a hash of the source .001 file, use the copy (cp) command and just send it to the same filename but with a .dd extension instead of .001 (example $ cp File.001 File.dd) and then hash the resulting file. Both should match. You can then just take a screen shot of the commands or use a logging command like Script to output the terminal input and output to a file in conjunction. This can be done on Windows or Mac with their versions of the command.
Realistically though just creating an additional working copy of the disk image with plain old copy/paste and then renaming it, then documenting the hashes remain the same in your notes, should be sufficient.