Raw Image Digital Forensics – Fight Crimes, Unravel Incidents

MailXaminer | March 17th, 2020 | Forensics

SUMMARY: Mr. Jhon Thomas, an expert forensic examiner, has been working with a forensic investigation team. He was called to examine a Cybercrime scene, in which he found the raw data containing several image files. As a forensic investigation expert, he needs to do raw image digital forensics so, he analyzed all the files and extracts evidence with the help of advanced forensics tools. He also finds deleted or lost data, missing file fragments within the file, by forensic image analysis using the software.

What is Forensic Image Analysis?

Whenever, an investigator wants to investigate any digital device (like – computer, mobile, laptop, etc.), they need to document everything about that device. In digital forensics, investigators need to do something special for raw image file forensics. They create a 100% identical copy of the device by following some strict set of procedural rules, which is called “Imaging”.

Investigators can use several ways for creating a forensic copy of the device, but they need to remember one thing which is common in all the ways. The thing is that imaging must be write-protected. For this, they usually involve the write-blocker in the process. It is a device that enables the investigators to only read the device during forensic image analysis, but can not write or modify. Never, in any of the cases, it should be modified or changed.

Forensic Image File Types

There are basically two types of images that can be created during the raw image digital forensics process, i.e. Physical Image and Logical Image.

(A) Physical Forensic Image

A physical image is a complete copy of the content of a digital device, also called a bitstream copy. It involves the bit-by-bit copy of all areas of the storage device and it also includes the unallocated space area of the device. This kind of image also provides the data recovery for this copy of the file, it is like something that is not possible for the normal copy or cloning of the file.

(B) Logical Forensic Image

A logical image is normally a file system level image. When sometimes, the investigator fails to create the physical image, they create a logical image. It helps to image a certain folder (like- a user directory, user mailbox, etc.) within the file system. It is not able to capture any of the unallocated data within the file. Logical image creation in raw image digital forensics is the best way to capture the data only within the folder and nothing more.

Note: There is no way to recover deleted data within the logical image. In raw image file forensics, when it is suspected that users might be deleted the data, always prefer to create the Physical image of the device.

Forensic Image File Formats

While the imaging process, investigators have several options regarding the forensic image formats in which they want to store the image file. The raw image format in digital forensics is not really about to good or bad, but they actually depend on the preferences and the software that they are using for raw image digital forensics. Most common types of forensic image file formats that are offered by the software:

E01 –

It is the EnCase Evidence File image format, that is most commonly used in the imaging process. It creates a physical bitstream, copy of the file with enriched with metadata. The metadata includes Notes, Checksums, Case information, and the hash value of the file. E01 file forensics is better than other image file formats because it provides the option for compression and password protection.

DD –

It generally creates a bit-of-bit copy of the raw data file. The advantage with the .dd raw format image files is that they contain unmodified data of the source, and nothing else. These files are not stored any of the metadata like – using software/hardware, destination and source details, hash values, etc. Almost every tool can support these raw image file formats, even they are non-forensic software.

LEF (l01) –

Encase Logical Evidence Files (.l01) re usually created by the most efficient Encase forensic software. The LX01 file format in digital forensics is used to create an exact copy of the storage device without manipulating and influencing the original data in order to maintain the integrity and consistency of the data.


It is an archive forensic image format that supports lossless data compression without losing the originality of the data and files. In other words, we can say that ZIP is a collection of one or more files and folders that are compressed into a single file. It is easy to share and transport in the compressed form during the raw image digital forensics process.


DMG files are disk image files that are generally created by the Apple Mac OS X. It can be said that it is a digital reconstruction of the physical disk image file. DMG is the raw format image files that create files with the raw image format extension .dmg and used to store software installers in a compressed form instead of a complete physical disc.

Raw Image Format Digital Forensics

MailXaminer is one of the best Digital Forensic Tools that provides advanced functionalities for the raw image digital forensics investigation process. Most of the corporate investigation agencies, law firms, and law enforcement agencies using this raw image file forensics software to handle digital crime investigations. It provides an automated solution to non-forensic investigators to easily find the evidence from the files during forensic image analysis.

MailXaminer Allows Investigators To :

  • Access files from multiple sources.
  • Analyze the large volume of information case files.
  • The fast process to access and examine all data.
  • Easy recovery of deleted files, hidden system files, disc slacks, and unallocated clusters.
  • Automated structure to investigate complex tasks.
  • Generate detail reports during the process.
  • Supports 20+ file formats for examination.

Forensic Image Analysis Using MailXaminer

With the help of MailXaminer software, experts can examine documents with all the file formats in such images. The software enhanced to raw format image document support such as E01, LEF, DD, ZIP, and DMG. In raw image digital forensics, users can investigate these files and extract out the evidence from the files by using advanced features of the software.

Follow these simple steps to process the different kinds of image files with the software:

  • To add the file for scanning into the software, just click on the option “Add Evidence” at the main screen. Then a window will pop-up, now click on the “Image” tab.
Add File
  • This will show you all the available forensic image formats, just click the type of file that you are going to browse into the software. Then “Browse” the location of the file.
  • Before finally adding the file, just save the required settings by clicking on the “Scan Setting: Change” tab. Now check the box in front of “Loose Files”. After this, finally, click on “Add”.
  • The next screen will show you the preview of all the data file details stored within the raw image file. By right-clicking on email, it will provide many options as showing.
Preview Data
  • During forensic image analysis, users can preview the email with different views, can mark or remove email as a privilege for future purpose, an Export option available to export the required data, bookmark option, User can tag file or text with the file and option to export the email as KML.

Final Words

While in this write-up, it is just meant to make you know about the idea of what raw image digital forensics are and how these raw format image files analyze. A forensic image that is not created and analyzed properly might be created disastrous consequences during the jurisdiction. So, with this point, investigators should use trusted and reliable software for the raw image file forensics process.