? Is there any way to convert E01 files to dd or FTK without EnCase?
? Also, do E01 files have a size limitation?
thanks! )
FTK Imager can do what you want.
Rich
Through "Add evidence file/Image file"?
I get an error "Image file size is not multiple of block size."
The E01 files span multiple 1.5 gig files, i.e. E01 … E99…
That would suggest that you do not have all the e01 files.
Thank you.
Dead end then. cry
RevEnge should be able to do this - although I have not tried on an image that is not a multiple of block size as I can't see how an encase image could be described in ths way (I assume they mean a multiple of 512 bytes) - this does seem very odd.
Given the format of the encase image which is block related this is a very odd message. The encase header records the size as bytes per sector and number of sectors so by definition the image size (if complete) must be a muktiple of the blockl size. If the image is not complete then I would expect a different sort of error message such as missing section.
I presume, if an EnCase E01 file spans multiple files as in my case, and one is missing, most like the last one, than it would make sense.
FTK Imager recognizes the header in the first E01, but cannot find all the files for the whole "set".
You should use ewfexport tool from the libewf project. website libewf.sourceforge.net
RJM
I presume, if an EnCase E01 file spans multiple files as in my case, and one is missing, most like the last one, than it would make sense..
Not the case - an encase file is split into what they call chunks each of which is typically 32K in size - this is adjustable in the later versions of encase but is always a multiple of 512 bytes. So the message
"Image file size is not multiple of block size."
still does not make sense in the scenario that a file is missing.
Do you know if the E01 files were converted prior from another format?