Sometimes people in IT or in law firms will come across EnCase files, that have been provided by forensics companies. The question they will often ask is “How do you open an EnCase image? A video guide on using Encase to open E01 files is available here
Firstly you must identify that you have an EnCase image. If the media provided contains a series of files, which all have the same name, but difference extensions, and the first one is has the extension E01, then you have been provided with an EnCase Image. After the “E01 file” each file has the same name but a different extension, increasing in increments. E02, E03, etc.
If the first file is called ExhibitA.E01, the second one will be ExhibitA.E02, and the third one will be ExhibtA.E03.
Regardless of how many files there are starting “ExhibitA” [or whatever the prefix is], if there is only one E01 files, there is only one image. The reason for the multiple files is that Encase can chunk up the image for ease of movement/storage.
Identifying the number of images
If the following files are on on the media Disk1.E01, Disk1.E02, Disk1.E03, Disk2.E01, Disk2.E02, Disk3.E04 that means that there are two different images. Disk1 and Disk2.
Opening an E01 Image
EnCase images are not “raw” files and so can not be easily opened, they need to be viewed with a correct tool. The two best tools for this EnCase – which can only (legally) view an image with a full license i.e. You have to pay for it (RRP £2,000 to £3,0000).
FTK Imager Lite, produced by AccessData which is free to use can also access EnCase images, and allow you to browse through the data.
Other tools, such as MountImagePro are also able to mount the files and virtual drive. This allows the user to browse through the files, can copy files off the image, as if it was a drive. This does not give full forensics capability, and if you want to investigate data theft or the like, this is not the tool for you. But does allow access to active files.