Notifications
Clear all

Optimum E01 split

7 Posts
4 Users
0 Likes
1,424 Views
(@mrmoo28)
Posts: 16
Active Member
Topic starter
 

Hi all,

Just wondering if there was an optimum E01 file split size? In a previous company, we were instructed to set the E01 split at 2000/2048MB, however in my current company the standard seems to be to split at 1024MB.

Is there any optimum, or what factors are to be considered when deciding what size to split at? Or…. does it not really make much difference?

Thanks!

 
Posted : 06/11/2014 5:20 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Why split at all?

 
Posted : 06/11/2014 5:48 pm
(@mrmoo28)
Posts: 16
Active Member
Topic starter
 

Why split at all?

Good question too - when I worked in eDiscovery in my previous job, we'd be splitting the E01s at acquisition, however when creating an L01 (or AD1 in some cases) for ingest into Nuix for data processing, we would ensure that it wasn't split at all!

Any further comments would be appreciated, just to satisfy my curiosity.

 
Posted : 06/11/2014 6:31 pm
4n6art
(@4n6art)
Posts: 208
Reputable Member
 

I'm with KeyDet. Why split it?

The split option if I am not mistaken was when we did not have big-b**t flash and hard drives so they could be burned to removable media. If you do not have a specific need to split your E01x I would keep it as one big file.

-=Art=-

 
Posted : 06/11/2014 8:40 pm
(@mrmoo28)
Posts: 16
Active Member
Topic starter
 

Are there overheards then as a result of splitting the files? Say read access in EnCase, would it significantly improve if it's just one large file?

Thanks

 
Posted : 06/11/2014 8:52 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I'm not looking so much at performance/overhead, as simply the reason for splitting files in the first place.

I know that this used to be something that folks would do, particularly LE, as the images would be split into whatever the current serviceable size for CDs or DVDs might be. However, given the cost of storage, I'm not really sure that's much of an issue any longer.

I tend to go with a single raw/dd format file whenever I can, for simplicity sake and because it gives me the greatest possible range of compatibility.

 
Posted : 06/11/2014 10:32 pm
(@c-r-s)
Posts: 170
Estimable Member
 

It's handy for any sort of portability using space on smaller hard drives and network transfers which do not support resuming connections.
Let's say your network protocol supports resuming Afterwards, the hash may indicate that your file is broken anyway - a 4 TB image, not one of more than 1.000 split files. The required hashing (file based, not image vs. source, of course) breaks down to individual split files, too.

 
Posted : 06/11/2014 11:12 pm
Share: