Just wondering out of the forensic examiners out there, when you image a hard drive, what format do you use? Do you find there are any advantages or disadvantages to any formats? Any input would be great, thanks.
Well, that is a really wide net to cast and depends on the needs.
There are advantages and disadvantages to each format and you have to balance
File system you are imaging
Imaging speed
Compression
What case information you need/want stored in the image
What hardware you are using
What you will examine in - OS, review platform, tools
What you want to mount in
Virtual Machine use
We probably do E01 (EnCase) images most of the time followed by DD as most are Win based and it fits our needs and tools.
MacQuisition does DMG which is nice as well.
I find for LE we have to use E01 format. Unless, obviously we have a dodgy hard drive / media that is struggling to acquire, then we resort to other techniques.
Coincidence - or maybe you saw the 'heated' debate on this topic on my Twitter feed yesterday?
I prefer dd because it's an open file format which isn't under the control of a single company. E01 works fine today with non-Guidance products, but who knows what will happen to it next month, next year, in 5 years? Is there a potential risk for me or my clients that EnCase version 7 or 8 or 9 E01 file format will only work/be licensed for use within within EnCase? Quite possibly.
I like E01s because of the ability to work out which part of the segmented image file is/has failed/corrupted.
To clarify this, an example being a supplied forensic image from another party being restored from a tape backup which was claiming to have restored successfully. The restored image did not load. However EnCase reported which EXX file had problem. Long story short, many restores of the tape, and each time, copying in a newer copy of the EXX file with a problem (several different ones in the end). From the various restores was able to get a complete forensic image that verified completely (hashes/crc's etc).
With a DD copy on the tape, i'm not sure of an easy way i'd have been able to get a working copy (when the tape drive is reporting that its restored correctly for whatever reason).
Jonathan, although in general I am also leery of proprietary formats (or proprietary anything), once the E01 cat is out of the antistatic bag, there is no way to stuff it back in.
First, the SPCA would be on you like white on rice for animal cruelty.
But more importantly, Guidance may decide to modify their future E01 format, but it would be to their disadvantage not to disclose the details.
Just as there are tools that will open and now write DOC, XLS, ZIP, and other proprietary formats, E01 will continue to be used by the industry.
The danger to Guidance is that the industry will just take E01 and develop an open format based on E01, let us call it F01, and make Guidance irrelevant.
Thereafter Guidance would have to implement the F01 format, instead dictating the industry direction themselves. . .
Just my two shillings.
To answer the original question, I tend to use E01, then dd if I have concerns.
F01 = Fictional format which includes self correction, compression ratio of 70%+, self indexing, and platform independent. Yep, it would slice, dice and make julienne fries.
I generally use E01 files because Encase tends to be the tool of choice that the people I work with use.
However if I had the choice I would nearly always go for dd images because it is interoperable with pretty much any tool. Only downside to dd is the lack of compression which obviously saves space/cost when purchasing target drives.