±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34963
New Yesterday: 4 Visitors: 169

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

AccessData FTK Imager raw image format extension.

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

AccessData FTK Imager raw image format extension.

Post Posted: Sat Dec 08, 2018 6:20 pm

I think this is a simple question, I am not getting anything from Google searches about it though.

Are .001 and .dd files the same thing. When I use FTK Imager to convert a .E01 file into a RAW file in order to use it in other applications it gives it the .001 file extension. I thought this should be .dd. Can I just manually change the file extension from .001 to .dd.

Below is the FTK Imager report in case any of that info is important to the question:


Case Information:
Acquired using: ADI4.1.1.1
Case Number: CIS445-Final
Evidence Number: 001-pc
Unique Description:
Examiner: Chris Kincaid
Notes:

--------------------------------------------------------------

Information for D:\EncaseFiles002\final problem\RAW002\cfreds_2015_data_leakage_pc:

Physical Evidentiary Item (Source) Information:
[Device Info]
Source Type: Physical
[Verification Hashes]
MD5 verification hash: a49d1254c873808c58e6f1bcd60b5bde
SHA1 verification hash: afe5c9ab487bd47a8a9856b1371c2384d44fd785
[Drive Geometry]
Bytes per Sector: 512
Sector Count: 41,943,040
[Image]
Image Type: E01
Case number: 0x11
Evidence number: 0x01
Examiner: dForensics_Team
Notes: data_leakage_case
Acquired on OS: Windows 7
Acquired using: 7.10
Acquire date: 4/23/2015 10:58:22 AM
System date: 4/23/2015 10:58:21 AM
Unique description: cfreds_2015_data_leakage_pc
Source data size: 20480 MB
Sector count: 41943040
[Computed Hashes]
MD5 checksum: a49d1254c873808c58e6f1bcd60b5bde
SHA1 checksum: afe5c9ab487bd47a8a9856b1371c2384d44fd785

Image Information:
Acquisition started: Sat Dec 8 17:46:41 2018
Acquisition finished: Sat Dec 8 17:56:20 2018
Segment list:
D:\EncaseFiles002\final problem\RAW002\cfreds_2015_data_leakage_pc.001  

chriskincaid
Newbie
 
 
  

Re: AccessData FTK Imager raw image format extension.

Post Posted: Sun Dec 09, 2018 1:01 am

- chriskincaid
When I use FTK Imager to convert a .E01 file into a RAW file in order to use it in other applications it gives it the .001 file extension. I thought this should be .dd.


'Raw (dd)' is the Destination Image Type. The extension used for those images is .001, .002, .003, ... and so on, depending on the Image Fragment Size

FTK Imager is not at all confident about file names and file name extensions. If you give the destination image the same file name (excluding extension) as a file in the same catalogue, you'll get a warning that you may overwrite a file in the destination directory. That is, the tool that should know if that happens or not only tells you that it may happen. And nowhere in the dialogue box sequence does it tell you what file name extension will be used. Very irritating.

Can I just manually change the file extension from .001 to .dd.


Sure. (Added: If you have any kind of paper trail saying that xxx.001 was your output file, you better keep that extension. Or you add your own trail piece that says that you have renamed it. Otherwise the absence of a .001 file and the presence of a .dd file might be considered suspicious.)  

athulin
Senior Member
 
 
  

Re: AccessData FTK Imager raw image format extension.

Post Posted: Sun Dec 09, 2018 10:40 am

Re-reading my question, I feel I need to explain that I totally understand a file extension and a format are not the same thing. I was concerned that .001 and .dd were actually indicators of different RAW formats, but after some reading and some poking around figured out they appear to be the same thing. One is more Windows, and the other is more Linux, but they both may show up in either.

- athulin
Sure. (Added: If you have any kind of paper trail saying that xxx.001 was your output file, you better keep that extension. Or you add your own trail piece that says that you have renamed it. Otherwise the absence of a .001 file and the presence of a .dd file might be considered suspicious.)


This being a popular assignment given in forensic classes, I was able to find an exact copy online and download it on my forensic system. It had the .dd extension. Because it is a large file, I was also having trouble moving it over the internet as I am having to work from home and login in to my system through teamviewer.

Searching Google for your evidence file would obviously never be a solution in a real world situation. My paper trail is also make-believe, so, I have the freedoms to write it as I like without any real implications. I do hope to do this type of work in the real world someday very soon, so I seriously appreciate the paper work trail comment. That is obviously extremely important, and is just as obviously, not being considered enough in my course setting. We do not even have a chain of custody log or anything.

Thank you for the reply!  

chriskincaid
Newbie
 
 
  

Re: AccessData FTK Imager raw image format extension.

Post Posted: Sun Dec 09, 2018 12:04 pm

They are the same, there is no such thing as more windows/linux and a RAW image is not a brand's (AccessData) property.
_________________
"Simplicity is the ultimate sophistication." 

calimelo
Senior Member
 
 
  

Re: AccessData FTK Imager raw image format extension.

Post Posted: Sun Dec 09, 2018 1:02 pm

- calimelo
They are the same, there is no such thing as more windows/linux and a RAW image is not a brand's (AccessData) property.

Exactly Very Happy .

And I would add how specifically RAW is not a "format", on the contrary it is essentially a non-format, a RAW image represents byte by byte the contents of the *whatever* was imaged.

It could be a floppy, or a whole hard disk or only a volume/partition but - besides the source device nature - its contents may be *anything*.

I.e. normally a whole hard disk image has as first sector either a MBR code and a partition table or a 00ed code and a single protective MBR entry (GPT disk) both terminated by last bytes 55AA.

As well, an image of a floppy or of a volume/partition would normally as well have as first sector a bootsector (or PBR/VBR) as well terminated by last bytes 55AA.

But nothing prevents from directly writing, starting from LBA0 the whole Bible or the commented works of Shakespeare[1] on a hard disk.

When you examine the RAW image of that disk, it won' t be recognized by *any* automagical tools, opening it in a hex editor may help you understand what the contents are.

jaclaz

[1] which:

That which we call a rose. By any other name would smell as sweet.

could well be paraphrased:

That which we give an extension of .dd or .001 or .mickeymouse. By any other extension remains a RAW image (if it is a RAW image).
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: AccessData FTK Imager raw image format extension.

Post Posted: Sun Dec 09, 2018 10:33 pm

A paper trail for the renaming is easy, and if someone is worried about their paper notes being insufficient, then in a Linux terminal perform a hash of the source .001 file, use the copy (cp) command and just send it to the same filename but with a .dd extension instead of .001 (example $ cp File.001 File.dd) and then hash the resulting file. Both should match. You can then just take a screen shot of the commands or use a logging command like Script to output the terminal input and output to a file in conjunction. This can be done on Windows or Mac with their versions of the command.

Realistically though just creating an additional working copy of the disk image with plain old copy/paste and then renaming it, then documenting the hashes remain the same in your notes, should be sufficient.  

williamtporter
Newbie
 
 

Page 1 of 1