E01 File Forensics – Examining the Structure And Storage

Creative Team | July 7th, 2015 | Forensics

E01 files are forensic disk images that are legally denoted as the Expert Witness Format. The file was introduced by EnCase from Guidance Software and was later adapted by a number of other disk imaging applications like FTK Imager. The purpose was to serve imaging ceased data from a machine/hard drive/external storage media, etc., which happens to be one of the major stages during Digital Forensics.

Forensic imaging is considered the most crucial stage of forensics. According to the norms of digital forensics, processing acquired evidence in its original form is not considered right from a legal standpoint as doing so, has high chances of resulting in spoliation of evidence. Investigation processes, no matter how carefully executed, have a possibility of leaving behind their traces, on the data being litigated. Therefore, cloning or imaging of the evidence in question is an extremely significant step towards maintaining the integrity and true state of evidence despite processing it for pulling out evidentiary information.

E01 File Forensics – Role of EnCase Disk Image

The encase E01 file is a forensically used file format for imaging purposes. The file tends to store a variety of evidentiary contents like; disk image, i.e., each bitstream of the ceased disk, existing memory, volume imaging, and logical files. In addition, the Guidance Software owned format consists of checksum for each block on a disk and footer with MD5 value for the complete bitstream. The file permits compression, cutting down the quantity of image files that are generated after acquisition and imaging.

An Overview At Forensics and EnCase E01

Digital Forensics is a wide arena that has multiple branches, which deal with data forensics, database forensics, email forensics, and all the electronic information storage types. However, it alone denotes the examination of entire data types that store information electronically. Therefore, EnCase 5 when launched proved to be not as efficient as a forensic imaging tool must be. It was incapable of tackling with email data, which proved to be a major challenge for forensicators owing to the fact that, most investigations rely upon communications for evidence.

With the launch of EnCase 6 the expectations for support towards handling of emails grew higher but the hurdle had not been removed entirely yet. The version of EnCase was still unable to tactfully deal with email messages, i.e. the support was provided but only for a limited number of (minor level of) emails only. Therefore, many other applications including FTK Imager arrived online serving the same imaging facilities and format (E01) but with enhanced capabilities. However, later EnCase rose up with major advancements and has reached version 7.10 that even supports imaging tablet and smartphone storage.

Structural Analysis of E01 – Forensics of the Forensic Image File

Despite the applications serving as providers of E01 files, its structure remained the same. This section of E01 file forensics brings out the output of E01 structural analysis that helps understand the file and platform for its examination purpose.

The disk image file stores whatever is found on the disk (external, internal, or removable) whether in the form of data files, databases, or even system files. How an E01 file stores data makes it unique in their storage, structure, and accessibility too.

One of the major peculiarities about E01 files is that it is only the file extension that changes and not the original file name. Moreover, every chunk can store only 640 MB of data, still the file extension changes afterwards while the structure remains in one piece (E01, E02, etc.).

Dissecting an E01 file:

  1. Every E01 image structure begins with the Header portion containing Case Information.
  2. A 64-sector block that sizes 32 KB acts as a separator between each data block. Additionally, it is interlocked with a Cyclic Redundancy Check.
  3. Then the footer of the file containing the MD5 value of the data imaged within.

Conclusion: This is how information is stored and arranged within an E01 file. The unique structure of an E01 file makes it dependent on the origin platform, i.e. EnCase or FTK Imager on which the image has to be mounted in order to viewed and interpreted. Thus, E01 file forensics is executable in a similar manner owing to its proprietary structure and formatting.