Rather than bringing up an old thread, I'll link the thread here
http//www.forensicfocus.com/Forums/viewtopic/p=6523751/
The question that I have is that I've run into this same issue. If I dd a 250gb drive, I get a 250gb file, but if I run that same drive through EnCase, I could end up with 205gb for example. I understand the compression piece, but according to the conversation above, dd is a bit-level copy. What is EnCase doing when you do a full acquire? Is it not bit-level? If it's not doing that type of capture, how does it get all of the unallocated space on the drive?
Thanks!
Yes its a bit level copy - if you are a linux guy think of an ecnase image as a dd image that has been compressed using tar and gzip.
if, using your example above, you
Create a DD image and then create a separate encase e01 file with compression
If you then export the encase e01 image to a bit level/dd format image (I know dd isn't really a format). Then it should be exactly the same as the DD image you created. All of the sectors are compressed, those containing live files and the unallocated space, if the unallocated space is empty then it compresses very well.
If you want the same "effect", you can pipe dd into gzip directly (no real need of TAR)
http//
jaclaz
Thanks guys! I appreciate it )
