Hi, I'm new to computer forensics and ecspecially Linux. In the class I'm taking at my college we use FTK. I'm trying to work on the case at home but I don't have FTK there so I'm trying to use the Helix cd. The image is a Encase E01 image. What exactly do I have to do to be able to investigate this image? Do I have to partition my harddrive and then mount it to the drive? Or can I just view the image file with Autopsy without having it mounted to something? Sorry if this is a little confusing I just don't know how to explain it to well since I'm new to Linux myself. All I'm really trying to do is investigate and image.EO1 file that I have saved on my harddrive now in windows vista.
you can download a full working copy of ftk from their web site.
the only thing with the trial is that it will only process 5000 files.
To image EnCase files you use linen on the Helix CD. To view them use pyflag with the ewf driver (ewf = Eye Witness Format). I would encourage you to read the Helix Docs (jump to page 144 for Autopsy). Browsing around linux-forensics.com would be a good thing as well.
BTW FTK does not play well on Vista. AccessData recommends XP as the platform for FTK 1.7x.
I've read a lot of the Helix manual. I already have the image file, so I don't need to image it again, or do i? I'm trying to do a investigation on the image like I do with FTK. What do I have to do, and what programs do I have to use to be able to set up this image file so I can work with it somewhat the way I do with FTK.
Thanks, Andrew.
You can use the FTK Imager (Free Version) to create a dd file image from the E01 file. The dd image can then be read by the SleuthKit utilities and viewed by Autopsy!
I've read a lot of the Helix manual. I already have the image file, so I don't need to image it again, or do i?
No need to image again, I was just pointing out that if you are going to create EnCase images with Helix you use linen.
What do I have to do, and what programs do I have to use to be able to set up this image file so I can work with it somewhat the way I do with FTK.
In general working in Linux is not going to be as "pretty" as working in FTK. In brief you mount the EnCase image then look at it with the HTML base Autopsy. Unfortunately there is no short answer to your question. As I wrote earlier download the Helix manual and start stepping through the Autopsy section starting at page 144.
use encase 4.18 enterrise edition
this edition need't dongle ,so you can store in the flash memory
You can use the FTK Imager (Free Version) to create a dd file image from the E01 file. The dd image can then be read by the SleuthKit utilities and viewed by Autopsy!
libewf support is inlcuded in the Sleuthkit utilities. There's no need to convert to a dd to use Sleuthkit tools under Linux to examine an Encase image. The support is already there.
If you really want to convert an EWF (i.e. "E01") file to a dd image, and you want to do it in Linux, just use "ewfexport" from the libewf package.