Forums
Main Category
General (Technical,...
Forensic Dossier fr...
 
Notifications
Clear all

Forensic Dossier from LogiCube supports E01

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by armresl 15 years ago
3 Posts
3 Users
0 Reactions
821 Views
RSS
 douglasbrush
(@douglasbrush)
Prominent Member
Joined: 16 years ago
Posts: 812
Topic starter 29/05/2009 1:00 am  

This press release was just hitting the news wires

CHATSWORTH, Calif. - (BUSINESS WIRE) - Logicube Inc., the industry's leader in hard drive duplication and eForensics technology, has announced that the company's premier data capture solution, the Forensic Dossier, will provide support for the EnCase evidence file format, E01.

The Dossier is the first hardware-based data capture solution to provide support of this widely-used forensic file format. This new software option is scheduled to be available in mid-summer 2009.

The E01 option will allow users to capture hard disk drives directly into the E01 format. The evidence or destination drive can then be easily uploaded to the analysis software in a ready-to-analyze state. This eliminates the time-consuming conversion step that users typically must perform today. The Dossier uses CRC and MD5 authentication when capturing to the E01 format and there is no performance degradation in native capture mode.

"Customer feedback is an integral part of product development at Logicube," commented Farid Emrani, Executive Vice President and COO of Logicube. "Support for the E01 file format has been consistently at the top of the wish list for our customers. Our engineering team has responded to our customers with the addition of this important enhancement to the Forensic Dossier."

"As the world leader in the eForensics field, our customers expect us to be at the forefront of new technological advances and the E01 option demonstrates Logicube's commitment to providing innovative and forward-thinking solutions to our customers," continued Emrani.

The Dossier is the fastest and most feature-rich digital forensic data capture device on the market today, allowing investigators to capture and authenticate at speeds approaching 6GB/min. The Dossier supports SATA and IDE drive formats and will also support SCSI and SAS drives with an optional adapter. Users can capture data from one or two suspect drives to one or two evidence drives. The Dossier supports capture in both native (mirror) and DD image file formats along with the new E01 support.

Over the next few months, Logicube plans on announcing multiple ground-breaking feature enhancements and complementary products all built on the Dossier platform. "The Dossier was designed to be an extremely versatile and scalable forensic tool. We expect that our upcoming additions to the product line will meet and exceed customer expectations and set the standard for their ideal forensic data capture solution." commented Mr. Emrani.


   
Quote
 jelle
(@jelle)
Trusted Member
Joined: 18 years ago
Posts: 52
10/08/2010 3:43 pm  

Sorry to kick this old topic - but I thought this would be a more appropriate location than in a new one.

A couple of weeks ago we were testing our new Logicube Dossiers and found that the .E01 images we created would not load in FTK Imager. We found this blog posting which mentions

The Dossier boasts that it can image in .E01 format, but there should be some disclaimers to that. The .E01 format used by the Dossier is only compatible with EnCase, and you will not get a matching hash value in FTK. Also, if you pull your .E01 image into FTK, most likely you will never be able to pull it into EnCase, it somehow corrupts it (the two tools use different .E01 formats). I recommend imaging the drive in DD format using the Dossier, then re-acquire the DD (raw) image as an .E01 inside EnCase (raw images have a tendency to become corrupt inside EnCase).

We also sent in a support ticket to ask if this was indeed what we were experiencing, and Logicube confirmed

Currently we only support Encase 6.0 and higher, although some our customers have been able to open the E01 images with FTK. We are currently working on software update that will support E01 with FTK. I'm sorry I don't have a release date.

On my obvious follow-up question why such quite essential information is not listed in the manual, they only assured me that the next version would include this compatibility information.

As this new version of the manual has not yet been released, and other people might experience the same problems, I thought some extra attention to this information could be helpful.

On a less diplomatic note if the best they could come up with is a vendor-specific implementation of the E01-format (quite an achievement in itself as I don't know any other tools that managed to do this…), they could just as well have saved the effort, as you now still have to re-process your images to use them in other tools.


   
ReplyQuote
 armresl
(@armresl)
Noble Member
Joined: 21 years ago
Posts: 1011
10/08/2010 8:09 pm  

I would think the reasons for not mentioning it would be no sales.

The statement about your hash values wont match if you open it in FTK alone causes even a novice to step back and say whoa.

Sorry to kick this old topic - but I thought this would be a more appropriate location than in a new one.

A couple of weeks ago we were testing our new Logicube Dossiers and found that the .E01 images we created would not load in FTK Imager. We found this blog posting which mentions

The Dossier boasts that it can image in .E01 format, but there should be some disclaimers to that. The .E01 format used by the Dossier is only compatible with EnCase, and you will not get a matching hash value in FTK. Also, if you pull your .E01 image into FTK, most likely you will never be able to pull it into EnCase, it somehow corrupts it (the two tools use different .E01 formats). I recommend imaging the drive in DD format using the Dossier, then re-acquire the DD (raw) image as an .E01 inside EnCase (raw images have a tendency to become corrupt inside EnCase).

We also sent in a support ticket to ask if this was indeed what we were experiencing, and Logicube confirmed

Currently we only support Encase 6.0 and higher, although some our customers have been able to open the E01 images with FTK. We are currently working on software update that will support E01 with FTK. I'm sorry I don't have a release date.

On my obvious follow-up question why such quite essential information is not listed in the manual, they only assured me that the next version would include this compatibility information.

As this new version of the manual has not yet been released, and other people might experience the same problems, I thought some extra attention to this information could be helpful.

On a less diplomatic note if the best they could come up with is a vendor-specific implementation of the E01-format (quite an achievement in itself as I don't know any other tools that managed to do this…), they could just as well have saved the effort, as you now still have to re-process your images to use them in other tools.


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: