I have received a hard drive with an image made with AccessData FTK Imager. It is a segmented image (AD1, AD2 …), and it would seem it contains two EnCase E01 raw disk images. I've never seen that before, so now I need some help getting the EnCase images (E01) out of the AD1 file.
I tried mounting the AD1 image and I get two 0 byte E01 files. Am I missing something obvious?
The AD1 is most likely a logical copy of the volume or folder that contained the E01s. Open the AD1 in Imager and export the E01s.
It does not seem like that is the case. The image structure is as follows
<name_of_file.AD1>
– FTKDB [AD1]
—- [root]
——–<name_of_image1.E01>
—————- Partition 1
—————- Partition 2
——–<name_of_image2.E01>
—————- Partition 1
—————- Partition 2
If I rightclick [root] and choose to export files, then I get name_of_image1.E01 and name_of_image2.E01, that both are 0 bytes.
When you click on root and look in the File List pane do the E01s have a size? Does the AD1 hash correctly?
Jesus…why put an Encase image within a AD1 image? Matrioska forensics?
The E01 files have no size in the right pane. They have a type set to 43, and that is it.
If I click the name_of_image1.E01, and click properties in the bottom left, it says "image type E01" as well as harddrive geometry and other things E01 images usually have.
I would have expected to just rightclick the E01 file in FTK Imager, and then "Export Disk Image". But that option is not available.
I just built a couple of test AD1s of folders containing E01s. In both tests the E01s had size. I hate to say it, but your images might be FUBAR.
I've contacted AccessData support to see if they can help find out what kind of magic this is. It does seem to be a supported feature of the AD1 fileformat. The reason I think that, is the E01 files contain unallocated space as well as deleted files, which can be exported from within FTK Imager. It would be great if the E01 images themselves could be exported.