Greetings,
As I said, as long as your processes support your choice. All too often, the only Linux system near me is on a VM on my Mac Book Pro. I've got EnCase, FTK, and Mount Image Pro licenses with me and so EWF files are handy.
I'm also often limited by disk space but have spare CPU cycles. Etc etc etc.
In other words, my environment generally dictates my file format, and it usually isn't my choice.
-David
And one disadvantage of a compressed E01 file is that if the underlying file system experiences a hiccup you're … what's that word … _ _ _ _ _ _ .
(BTW, the fill-in is "mucked" 😉 )
Non-compressed image files are easier to recover from a corrupt or bruised underlying file system compared to compressed image files.
Just a random thought! )
Cheers!
farmerdude
.
I created an E01 file (and a second backup E01 file) of a hard drive using FTK Imager 2.5.4.13.
There were no multiple E0x files created - only one of the entire image
Now, when I try to load them into FTK 1.71 I get an error saying "Invalid Evidence File" (or something like that).WHAT GIVES? Any idea? Would appreciate any/all help.
-=ART=-
Guidance Software changed the Expert Witness Format they use in EnCase v6 to support single segment evidence files greater than 2GB in length. The original EWF format did not support segments greater than 2GB.
If you have created an e01 image with a single segment with the latest version of FTK Imager, it probably supports the new structure to allow these large segments.
It is likely that FTK 1.71 has not been updated to support single segment images greater than 2GB and is therefore complaining about it.
Craig
THANK YOU! That may explain why when I converted the E01 to a DD, FTK 1.71 was able to read it and process it.
I guess I will have to make my images into smaller Exx segments.
Appreciate the input, everyone!
-=ART=-