E01 File Viewer
When EnCase software is deployed for imaging a hard drive under investigation, the generated data gets stored in files named as EO1 files. EO1 is basically the file extension used to designate Encase image files. During the disk imaging process, physical stream of data is produced. When Encase takes images of the hard drive, the data is divided into chunks of data each having 640 MB size. The file name for multiple files created remain the same even when the file extension changes. For example if the first data chunk of 640 MB has name “A01. E01”, the next chunk will have the name “A01.E02”, then “A01.E02” and so on.
More About E01 Files
In order to investigate the image files via E01 file viewer, it is necessary to be familiar with the basic structure of the E01 files:
The header of an EnCase file basically contains the information related to the case. The below mentioned credentials are required to be mentioned in EnCase at the time of disk imaging:
- Investigator’s name
- Case description
- Description of media from which the evidence is collected
- Data and Time of EnCase image creation
- Version Of EnCase
- Operating system currently in use
CRC checks for all the errors, if any, present in the E01 file in order to make sure that no change have been made to the original data.
- Data Blocks
The data chunks of E01 file is divided into 32 KB blocks and in between these blocks CRC is being embedded in order to check the consistency of data.
The footer of the E01 file contains a MD5 has value of the data stored in the file. In case the MD5 value of the image is found to be different from the MD5 value of the file created by another tool, then it becomes clear theta the image is being tampered with.
Performing Analysis Of E01 Files Using E01 File Viewer
E01 files serve to be an important source of information for a forensic investigator. These files can only be viewed with EnCase and in case EnCase platform is not available, these files are useless. Therefore, in such cases when the forensicators do not have access to EnCase, they can deploy third party tools like E01 file reader.
- Operating System Supported: Windows 8.1 and below Windows versions
- Processor: 1GHz
- RAM: 512 MB
- Hard Disk Space: 15 MB
E01 file reader gives a platform to view the E01 files in the absence of EnCase and gives a preview of the entire data stored in the file. Being a standalone application it does not require EnCase and hence gives the forensicators the facility to extract data from E01 files without any issue.