How do I Access EnCase Files?

January 8, 2009 — 585

E01 Files

Sometimes people in IT or in law firms will come across EnCase files, that have been provided by forensics companies. The question they will often ask is “How do you open an EnCase image? A video guide on using Encase to open E01 files is available here

E01  Identification

Firstly you must identify that you have an EnCase image. If the media provided contains a series of files, which all have the same name, but difference extensions,  and the first one is has the extension E01, then you have been provided with an EnCase Image.  After the “E01 file” each file has the same name but a different extension, increasing in increments. E02, E03, etc.

Example

If the first file is called ExhibitA.E01, the second one will be ExhibitA.E02, and the third one will be ExhibtA.E03.

Regardless of how many files there are starting “ExhibitA” [or whatever the prefix is], if there is only one E01 files, there is only one image. The reason for the multiple files is that Encase can chunk up the image for ease of movement/storage.

Identifying the number of images

If the following files are on on the media  Disk1.E01, Disk1.E02, Disk1.E03, Disk2.E01, Disk2.E02, Disk3.E04 that means that there are two different images. Disk1 and Disk2.

Opening an E01 Image

EnCase images are not “raw” files and so can not be easily opened, they need to be viewed with a correct tool. The two best tools for this EnCase - which can only (legally) view an image with a full license  i.e. You have to pay for it (RRP £2,000 to £3,0000).

FTK Imager Lite, produced by AccessData which is free to use can also access EnCase images, and allow you to browse through the data.

Other tools, such as MountImagePro are also able to mount the files and virtual drive. This allows the user to browse through the files, can copy files off the image, as if it was a drive. This does not give full forensics capability, and if you want to investigate data theft or the like, this is not the tool for you. But does allow access to active files.

About these ads
Posted in 0 - Forensics, EnCase, Guides. Tags: , , . 5 Comments »

5 Responses to “How do I Access EnCase Files?”

  1. Devin Says:
    November 29, 2010 at 5:57 pm

    Great article, saved me a lot of time. Thanks.

    Reply
  2. Kurt Kugler Says:
    September 9, 2011 at 12:27 pm

    This was really helpful, but I have a case where the EnCase image is indeed split into four files xyz.e01 … xyz.e04. So far I have not been able to combine them into one image to work on, Any idea on how to accomplish this?

    Thanks in advance

    Kurt

    Reply
    • 585 Says:
      October 23, 2011 at 11:10 am

      Sorry for the huge delay in replying! Too late now I bet. You should be able to open the first and it then opens the rest automatically. What errors when you do this? i.e. what errors are you getting?

      Reply
  3. Anonymous Says:
    February 1, 2012 at 6:53 pm

    what about MAC?

    Reply
  4. 585 Says:
    April 5, 2012 at 5:52 am

    Sry – whats the question? Apple Mac, MAC address?

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

«

»
Follow

Get every new post delivered to your Inbox.

Join 25 other followers

%d bloggers like this: