I heard an interesting question the other day…someone has four EnCase evidence files that comprise a case, and wants to convert those to a consolidated dd image file.
Anyone have any thoughts? I have EnCase, but don't really use it a lot.
Thanks,
Harlan
FTK imager will convert between image file formats (EnCase - does not have this function). Its free to download and use. Depending on the size of the 4 images (i.e if they are in total less than 2048 MB) You can set the file size to consolidate the 4 x E01 files into 1 DD image.
Step by step- Open FTK imager, FileAdd Evidence item, point to your EnCase (first) E01 file. This will mount the image. Next - FileExport Disk ImageSelect the destinationAdd Select Raw(dd) Select the destination folder Select a filename Select Image Fragment size (must be less than 2048 MB).
Andy
Andy,
Thanks. Sorry I forgot to mention it, but the total size of all four Encase evidence files combined is just over 74GB.
Harlan
Ahhhh, in which case I don't think FTK Imager will do it, or at least my version (build 04.11.08 ) will not let me create a dd image with segments over 2048 MB.
I just tried the process using X-Ways Forensics (version 12.2), in Windows XP Pro (SP2) and it appears to work. The process is as follows - Open X-ways, and create a new case Add image Select the first E01 file (this will mount the image). Next click File Create Disk Image Select Raw Image (dd) Select the output path Uncheck the 'split backup into segments of?' box.
I used a 40GB image, and it works.
Andy
Andy,
You said in your last email that you can't create a dd image with "segments over 2048 MB", whereas in your first email, you said, "…Depending on the size of the 4 images (i.e if they are in total less than 2048 MB)…".
Based on what you said in your first email, I thought I was out of luck…how many imaged hard drives are you going to find that are less than 2GB?
Well, I asked our resident Encase guru here, and he said that the issue is with the size of individual .e0x files…each has to be 2B or less. The total size of the image can be just about anything.
As I sit here, I have just over 3 minutes until I have the .e0x files converted to single dd image file.
Thanks,
Harlan
Harlan, I will try to answer your points as best as I can -
You said in your last email that you can't create a dd image with "segments over 2048 MB", whereas in your first email, you said, "…Depending on the size of the 4 images (i.e if they are in total less than 2048 MB)…".
I think you mean ‘posts’ not ‘emails’……in any case, what I meant was this - by default EnCase is set to image in chunks of 640(MB), so when you said you had 4 image files I had the misassumption that your images were 4 x 640(MB) in size.
My version of FTK will mount the images and allow me to create another Raw(DD) image from it; however for some reason it will not allow me to create a DD image over 2048(MB). Any larger and it will create segments of this size. I don’t know why, and there is not reason with NTFS why this should be the case?
Based on what you said in your first email, I thought I was out of luck…how many imaged hard drives are you going to find that are less than 2GB?
Quite a few actually, I have many cases where there are drives (mostly loose) of this or even smaller size. I find that people often have old drives lying around. They tend to get seized during searches, and often contain evidence. Also some of the larger drives in more contemporary machines will compress down to comparatively small image files (try setting EnCase to ‘Best Compression’).
Well, I asked our resident Encase guru here, and he said that the issue is with the size of individual .e0x files…each has to be 2B or less. The total size of the image can be just about anything.
The size of the EnCase E01 files doesn’t matter what-so-ever (I think your guru might be confused and/or mistaken). What you are doing with FTK imager or X-way Forensics – is mounting all those image files (which can be any size up to 2000MB). The software finds which segment is next in its chain, and what order they are in. It does all the work.
EnCase (versions 2,3,4 or 5) will not allow the creation of segments larger than 2000(MB) (I’m also not too sure what you mean by 2B?). Also, I am a little puzzled as to how there is only 4 image files that total 74GB? EnCase could not possibly create 4 image segments that would total this size. It might help if you explain how this could be.
Did you manage to use the FTK Imager or did you use X-Ways Forensic (WinHex) as I suggested or not? If not, what did you use?
Andy
Andy,
Thanks for the narrative, but none was necessary, really. Like I said in my post/email, there's no longer any issue.
> Also, I am a little puzzled as to how there is only 4 image files that total 74GB?
Well, the report from the person who made the image isn't conclusive, but I seem to remember that Encase could do compression. Given the nature of the case, I doubt that much more than about 1GB of the hard drive space was actually used.
> Did you manage to use the FTK Imager…
Yep.
Harlan
Harlan
I will be releasing a free tool in the next week (will be available from my site) or so which is specifically designed for converting image formats such as E01 to single flat file DD style images.
It is being beta tested at the moment and works with Encase 1-5 (compressed and non-compressed), Smart and FTK images.
Craig,
Great…I'd love to try it when you do get it completed.
Thanks…if you email me at keydet89 at yahoo dot com when it is complete, I'd like to post something on my blog about it.
Harlan
Harlan
I have emailed you. D
