Forensics: What is an E01 File?

When EnCase is used to image a hard drive, CD, or USB drive it produces an image file(s), these files are known as “E01” files, as this is the extension of the primary EnCase image file.

The file name is provided by the users, e.g Drive1, A001, but the extension is automatically named E01.

Encase, by default, breaks the image file into 640mb chunks (this is for historical reasons to allow the image to fit onto multiple CDs). Therefore a standard 80 GB hard drive there will be numerous files (80,000 divided by 640 in total).

The EnCase image format handles these multiple files by changing the extension not the file name.

Example: If the first file in the sequence is A001.E01, then the following files will be

A001.E02, A001.E03, A001.E04, etc. Despite the changing extension the files are all of the same format, and when opening the the image through EnCase, by pointing at the first file, it will automatically look for the files in the same directory. Despite the changing extension the files are commonly referred to as “E01 files”

EnCase image format is based on the ASR Data Expert Witness Compression .

The image of hard drive, by Encase,  is a complete bit stream of the acquired media.

However, for security reasons the the E01 files contain additional information to prevent changes to the file.

The front of the first E01 file contains “Case Information” – this is information entered into EnCase, by the user, prior to imaging, e.g name of person, case name, description of media, etc, and information automatically created, e.g date/time, version of Encase used, operating system Encase is running on, etc. Then within an EnCase image, at every 32 KB (64 sectors – 1 sector is 512 bytes), there is a CRC checksum, i.e if there is an error within the 32K this will be detected by the CRC.

At the end of the image (i.e in the final E01) the MD5 value for the entire bit stream is stored.

Access Data’s imaging tool – FTK Imager can also produce Encase/E01 image files.


3 Responses to “Forensics: What is an E01 File?”

  1. Forensics: Do you need to wipe a drive before you image to it? « Data – Where is it? Says:

    […] most companies now create an image file or files (either an E01 or a DD) when collecting or preserving data. As these are files they cannont be stored on a […]

  2. Forensics: What is imaging? « Data – Where is it? Says:

    […] This is the next stage on from an a raw or DD file. In this case when a sector is written down it is not a case of 1 sector to 1 sector, this is for several reasons. Firstly, programs like EnCase allow for compression, this means that muple sectors are compresed into a single sector. This is most effective when imaging hard drives with a lot of blank data. This means that a very large drive can be compressed significantly, an example of this is the Eo1 image created for the NTFS quiz on this site. This is a 40 GB drive, that has been compressed down to a few hundred MB, using EnCase, because most of the drive is blank. In addition to the compression of image files, such as E01, put in a variety of check sums and security features todetect if the files have been tampered with. More information on the E01 file is avaiable here. […]

  3. Forensic Cloners « Data – Where is it? Says:

    […] Traditionally, cloners produced an exact copy of the hard drive “a clone”. This means they took one hard drive and put identical contents onto another hard drive. The second/destination drive could even replace the original hard drive in the hardware if necessary. Modern cloners can now produce other image formats with a DD or Raw images available. Currently the no hardware cloner produces an E01 image format. […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: