Is there a way to edit the contents of an image (.E01). I have tried Mount Image Pro but it can only read the contents. I am looking for tools that will enable users to open an .E01 image and delete the contents (files, folders) from the image without the need to extract to disk and re-acquire changes.
[The images being edited are not forensic evidence files! ) ]
You cannot change anything inside of an EnCase Evidence file.
Use a Logical evidence file (.L01) if you are using EnCase.
You still cannot change anything inside of an EnCase Evidence file.
You cannot edit an EnCase evidence file and have the file then used by EnCase. Moreover, why would you want to?
If the purpose is to created a redacted copy of the original, do a restore and work on the restored drive.
You can convert it to dd format image, use WinHex (create a case and open the image) in order to wipe the files/folders needed to be wiped. Then convert the dd into a new E0 file. Lots of work, particularly if the clusters are not sequential. Best bet, as already mentioned, is to restore the image, wipe the files from the restore, and create a new E0 file from the modified restore. If there is a court order or client request to permanently wipe certain files, then after this is all done, you'd have to wipe the entire original E0 file to get rid of the specified files.
You can convert it to dd format image, use WinHex (create a case and open the image) in order to wipe the files/folders needed to be wiped. Then convert the dd into a new E0 file. Lots of work, particularly if the clusters are not sequential. Best bet, as already mentioned, is to restore the image, wipe the files from the restore, and create a new E0 file from the modified restore. If there is a court order or client request to permanently wipe certain files, then after this is all done, you'd have to wipe the entire original E0 file to get rid of the specified files.
Agreed, lots of work. And you'd still have the data in unallocated space. A logical restore would give you only the undeleted files, then you could do a destructive delete and be done. Or a physical restore and using a freespace wiping tool would be an alternative.
Editing the disk image is the least practical solution since you have to consider MFT resident data, file slack, and all the other places where a hex editor is not the most practical technology.
Perhaps if we knew what you wanted to do, we could better advise you.
Check out this EnScript by Lance Mueller. It will allow you to blue check the files you want to exclude, then export all of the other files into a DD. The content of the excluded files are wiped. The file names remain though.
http//
Apparently the person(s) responsible for 'libewf' are working on a way to write to and edit EWF (EnCase) files. Don't know how practical this would be, but worth looking at nonetheless.
I can think of a very good reason to exclude evidence - if company 'A' is suing company 'B' there are procedures in place to protect company 'B' from having their company data exposed to company 'A'. If you could turn over an evidence file without that data it would be helpful to the investigation. I realise however that this is also achievable by creating a logical evidence file.
There's no real reason why it shouldn't be possible. All you'd need to do is decompress the image, edit it, and then save it back with all the new CRC and MD5 data saved to the EWF file. Fact is it is unlikely that anyone will come up with a completely secure method for storing evidence.
I can think of a very good reason to exclude evidence - if company 'A' is suing company 'B' there are procedures in place to protect company 'B' from having their company data exposed to company 'A'. If you could turn over an evidence file without that data it would be helpful to the investigation. I realise however that this is also achievable by creating a logical evidence file.
I am agreed that there is often the need to redact the evidence (attorney client privilege is one that comes to mind). My point was that editing the evidence file is probably the least efficient and least desirable way. In fact, were someone to develop a simple and convenient means to edit evidence files while allowing them to reverify in EnCase, I think it would have serious implications for the admissibility of evidence files in lieu of the physical media.
There exist much better techical approaches and, at least in the US, there are legal approaches to protecting confidential information which wouldn't involve tampering with the evidence, itself.