E01 files

E01 files (.E01) are the Encase forensic image file extensions. EnCase Enterprise (EE) is a network-enabled, multi-platform enterprise investigation solution directed toward information security professionals, computer incident response teams (CIRTs), eDiscovery auditors and forensic examiners.

E01  Identification

Firstly you must identify that you have an EnCase image. If the media provided contains a series of files, which all have the same name, but difference extensions,  and the first one is has the extension E01, then you have been provided with an EnCase Image.  After the “E01 file” each file has the same name but a different extension, increasing in increments. E02, E03, etc.

Example

If the first file is called ExhibitA.E01, the second one will be ExhibitA.E02, and the third one will be ExhibtA.E03.

Regardless of how many files there are starting “ExhibitA” [or whatever the prefix is], if there is only one E01 files, there is only one image. The reason for the multiple files is that Encase can chunk up the image for ease of movement/storage.

Identifying the number of images

If the following files are on on the media  Disk1.E01, Disk1.E02, Disk1.E03, Disk2.E01, Disk2.E02, Disk3.E04 that means that there are two different images. Disk1 and Disk2.

Opening an E01 Image

EnCase images are not “raw” files and so can not be easily opened, they need to be viewed with a correct tool. The two best tools for this EnCase – which can only (legally) view an image with a full license  i.e. You have to pay for it (RRP £2,000 to £3,0000).

FTK Imager Lite, produced by AccessData which is free to use can also access EnCase images, and allow you to browse through the data.

Other tools, such as MountImagePro are also able to mount the files and virtual drive. This allows the user to browse through the files, can copy files off the image, as if it was a drive. This does not give full forensics capability, and if you want to investigate data theft or the like, this is not the tool for you. But does allow access to active files.

Disk-Imager is going to share more information about E01 files and E01 image.

4 Comments to “E01 files”

  1. mciver@gingerly.curling” rel=”nofollow”>.…

    ñïñ!…

  2. hosaka@arlenes.mesh” rel=”nofollow”>.…

    благодарен!…

  3. Max

    doric@mel.hessian” rel=”nofollow”>.…

    сэнкс за инфу!!…

  4. propel@bruce.universe” rel=”nofollow”>.…

    благодарен….


Leave a Reply

You must be logged in to post a comment.