When EnCase is used to image a hard drive, CD, or USB drive it produces an image file(s), these files are known as “E01″ files, as this is the extension of the primary EnCase image file.
The file name is provided by the users, e.g Drive1, A001, but the extension is automatically named E01.
Encase, by default, breaks the image file into 640mb chunks (this is for historical reasons to allow the image to fit onto multiple CDs). Therefore a standard 80 GB hard drive there will be numerous files (80,000 divided by 640 in total).
The EnCase image format handles these multiple files by changing the extension not the file name.
Example: If the first file in the sequence is A001.E01, then the following files will be
A001.E02, A001.E03, A001.E04, etc. Despite the changing extension the files are all of the same format, and when opening the the image through EnCase, by pointing at the first file, it will automatically look for the files in the same directory. Despite the changing extension the files are commonly referred to as “E01 files”
EnCase image format is based on the ASR Data Expert Witness Compression .
The image of hard drive, by Encase, is a complete bit stream of the acquired media.
However, for security reasons the the E01 files contain additional information to prevent changes to the file.
The front of the first E01 file contains “Case Information” – this is information entered into EnCase, by the user, prior to imaging, e.g name of person, case name, description of media, etc, and information automatically created, e.g date/time, version of Encase used, operating system Encase is running on, etc. Then within an EnCase image, at every 32 KB (64 sectors – 1 sector is 512 bytes), there is a CRC checksum, i.e if there is an error within the 32K this will be detected by the CRC.
At the end of the image (i.e in the final E01) the MD5 value for the entire bit stream is stored.
Access Data’s imaging tool – FTK Imager can also produce Encase/E01 image files.