I have a drive that is broken out into 10 different Evidence files (E0….). Someone else has imaged these files. I need to analyze these files. In the past I have added dd images to a case, but I have never started out the case with an E0 file. Am I correct that to do so I do the following
Add Device -> Evidence Files -> highlight the folder location -> The entry listed will be the E01 file and I just select that as long as all the other E0 files are in the same directory.
Here is other main issue I am dealing with. I have a print out with the Acquisition Hash and the Verification Hash (which match). How can I take all the 10 E0 files and verify all of them to get the one hash that was listed when acquired. Let me see if I can ask this another way. How can I take all the E0 files and get one has for just the data portion of the imaged system.
Thanks
Add Device -> Evidence Files -> highlight the folder location -> The entry listed will be the E01 file …
Or, with the case opened, just drag'n'drop the .E01 file on the tree pane.
How can I take all the 10 E0 files and verify all of them to get the one hash that was listed when acquired.
The hashes you asked about are for the complete .Exx set of files, taken as a whole, and are shown in the evidence report. Tree Pane select Entries. View pane select 1 (or whatever the evidence is called in your case). View Pane Select Report.
I think this is explained in the User Guide – if you haven't, use it. If you have tried and given up, try again some perserverance is needed.
If you just want to ensure it is a true image, as you have E01 files, just look at the drive in report mode in EnCase. Thats your check for verification. If the drive was imaged in EnCase, just check that the read errors are listed as 0 and then the it lists as 'completely verified with 0 errors'. If it was imaged with something other than EnCase (such as FTKI) the read errors wont report there, and you'd need to look at the FTKI log (a text file produced with the e01 files).
Well along with the image I have report that was done from the encase image that shows the hash value and the error report. Since I didn't witness the imaging I need to verify that the has in the report that accompanied the E0x files matches the hash after I load the image into encase.
So I add the E01 file to encase, wait to it to verify, then I can then select the new image in the tree pane, then view the report in the view pane?
Is that correct?
Thanks
Yeah, wait for it to finish verifying, then in the report view for that device look at the sections-
File Integrity
EnCase Version
Read Errors
CRC Errors
Missing Sectors
Total Sectors
(The EnCase version bit being to check if EnCase or another imager was used - if FTKI for example - read errors will be 0 even if there were read errors)
If you have a photo of the drive, you can compare the label for its total sectors to the total sectors listed by EnCase in this report view to verify what was taken was every sector.
Yeah, wait for it to finish verifying, then in the report view for that device look at the sections-
.
Actually, the Entries Folder in the Tree Pane must be highlighted to see the Acquisition and Verification Hashes in the View/Report pane. Highlighting the device in the Tree Pane will not give you this information, only the volume information for that volume.
Yes….didnt say any different….i was presuming they were able to select their device from the view pane as i never mentioned the tree pane (hence view report for the device not volume) p
(Although could have said the bottom encase report view to be absolutely clear i guess since it has the two report options)