I am having to document which format should be used dd/raw or E01. What are the pro's and con's?
Can you be more specific? Most of the time the answer depends on what you are trying to do and the tools you have available. Your question is kind of vague…
I am having to document which format should be used dd/raw or E01. What are the pro's and con's?
Well, based solely upon the information contained in your question, and knowing nothing about what you are intending to use the image for,
DD/RAW
(PRO)
they can be opened by any application
using LiveView, you can generate a VM with them
(CON)
you can't compress them without the use of another application
E01
(PRO)
allows for compression on the fly
(CON)
the format is subject to change, thus, not all E0 files can be opened by applications such as FTK imager
Also, there is a theoretical risk that using an E01 file created by an application other than Encase within Encase could subject you to a legal challenge since, officially, Guidance Software will not acknowledge that E01 files created outside of Encase are valid. Whether anyone has actually been challenged on this I cannot say.
Good feedback. I do have Encase but I liked imaging with FTK or Linux and DD. I have write blockers for sata and IDE but on occasion I have USB devices and dont like to connect with Windows.
Any other advice on this subject or references is appreciated.
Good feedback. I do have Encase but I liked imaging with FTK or Linux and DD. I have write blockers for sata and IDE but on occasion I have USB devices and dont like to connect with Windows.
Any other advice on this subject or references is appreciated.
I like to boot a laptop with LinEn and mount USB drives to do acquisition in EnCase.
Good feedback. I do have Encase but I liked imaging with FTK or Linux and DD. I have write blockers for sata and IDE but on occasion I have USB devices and dont like to connect with Windows.
Any other advice on this subject or references is appreciated.
We have the Tableau USB blockers. In a pinch we have scripts that hack the Windows registry to 'ro' USB devices. I prefer the blockers.
Ditto other comments made here. I personally prefer dd as it is more flexible (any tool will read it - AFAIK) and storage is cheap. Also, ewf files can corrupt and cause an Encase analysis to abort. I have had that happen and because it is difficult to determine which segment went bad you end up re-imaging the drive again.
To check the individual segments of the EnCase image, click on Tools –> Verify Evidence Files. Select the segment(s) you want to verify and let it rip. It will check and report the integrity of each segment. Normally if EnCase encounters a bad segment it will not permit access to the data in that segment and zero it out in your case. Although, it seems almost anything can crash 6.14.x. You would have to reacquire the entire drive again if you encounter a bad segment in the image.
The above post pretty much summed up the disadvantage to E01 and that is the E01 format is proprietary to Guidance Software and they are quick to say that only images created with their tools (EnCase, En, and Linen) are supported by them. Raw, binary, DD, whatever you want to call them images are compatible with everything out there and not vendor specific. If you've validated your imaging tool and have properly acquired the drive with the necessary documentation, you shouldn't have a problem with any challenge. I've always wanted to ask Guidance if I first acquire the drive as a raw image and then when I get back to the lab, load the DD image in EnCase and acquire as an E01, is that image supported? It's created by EnCase after all.