Is there a way to edit the information related to an e01 image after the image is created ? (Case number, item number investigator name, etc.)
I created an e01 image with FTK Imager. At creation time, I entered the drive S/N in the "Unique description" field. When adding the image to an FTK case, the information is parsed correctly, but when adding the image to Encase, the drive S/N is used as the evidence name, which kinda screws up the file paths when exporting.
So, is there a way to modify this information after the image is created?
Hitman, There is no way to alter this information unfortunately. You could however, re-acquire it from the current image and correct the metadata that way.
Officially no, although based on some info i happened to see recently, this is not strictly true. According to Yogeshi Khatri of 42 LLC you can edit this info
http//
Probably better to reacquire with FTKI though as Kiashi says, or reacquire from source again if available.
Rich
In theory there is no reason why not but the process might not be simple.
This information is compressed (and usually stored twice) and each encase section is referenced by an absolute offset from the preceeding section, so any change to your data that changes the size of the compressed header will necessitate a change to the header for every subsequent section (and of cource each header has a crc so that would need changing).
It sholdn't be difficult to do though and changes of this nature would not affect the image hash.
Easy option is to reacquire.
Thanks everyone for your answers.
No matter how you edit it, you'd probably want to maintain the 'original' image to handle any allegations of editing a forensic image for nefarious purposes.
No matter how you edit it, you'd probably want to maintain the 'original' image to handle any allegations of editing a forensic image for nefarious purposes.
Why? if the image hash hasn't changed - then you havent altered the evidence.
Why? if the image hash hasn't changed - then you havent altered the evidence.
Because MD5 hashes have been compromised (albeit in the lab environment) and because if we are truly ethical (viz this blog) then we should be up-front about all our failings rather than trying to cover them up, surely?
Saving the original evidence might be embarrasing but at least the jury can track the chain of evidence.
Paul
I dont think MD5 has been compromised in a way that can affect an image file. Or arther I am not sure (and happy to be corrected) that anyone has ever modified an image file to produce a given MD5 or modified an image file (say by adding a jpg) and then modifying the image file again to get the original MD5. Also the later version of encase also record a sha1.
That aside though, what is wrong with writing in your notes something along the lines of
After obtaining the image it was noted that the evidence number was incorrectly entered in the unique description field and vice versa. This made the exported reports confusing to read therefore I ran the program ModifyCaseDetails from Sanderson Forensics and corrected the typographical error. This program has been shown to preserve the image integrity and after the modification was made the image was re-verified and the MD5 was seen to be the same as originally recorded.
If you 'edit' evidence, then yes, at least take notes documenting the reason 😉
And doesn't everyone keep an original copy of evidence anyway and work on a copy?