±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36561
New Yesterday: 0 Visitors: 164

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

E01 Image format / tools

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3 
  

JimC
Senior Member
 

Re: E01 Image format / tools

Post Posted: Nov 28, 19 14:34

- mscotgrove
If you really want reverse sector order, why not just read the .E01 file in reverse. As with others who have replied, I do not understand the requirement


I think the point of my original question has got somewhat lost along the way. This is my fault because when I first asked, I didn't understand the limitations of the E01 format. There may be (rare) occasions when a reverse image is necessary but this is actually not relevant to my question which I think I can answer myself now.

The problem appears to be the limitations of the E01 format itself:

- JimC

1. The image starts at sector zero - You can create an image of either a physical disk or a single partition but the image itself doesn't record the starting sector.

2. It is implicit that the E01 data chunks are stored in ascending order - Although there is a little wriggle room here because although the "tables" section assumes the data chunks are in ascending order they can actually be stored out of order in the "sectors" section (used by more recent imaging tools)

3. The data chunks each represent a fixed sized (typically 32KB) and, whilst they can be compressed, they must all be present. e.g. The E01 format doesn't seem to support any kind of 'sparse' storage. This seems like a huge oversight since many drives will contain a significant amount of unused storage.

I think this "wriggle room" could be used to create a backwards image but would be limited in practice because the E01 file is typically split into segments (e.g. 2GB or 4GB) and each segment has the same assumption that it contains data chunks in ascending order.


Yes, you can workaround this limitation by creating a "DD" image first. Sometimes this may be necessary. No, reading the E01 image backwards misses the point - the question was could the image be created in reverse. Based on the above limitations, I think the answer must now be no it cannot. This has nothing to do with if this technique would be useful or why it may help - rather it boils down to a limitation in the E01 format.

Jim

www.binarymarkup.com  
 
  

jaclaz
Senior Member
 

Re: E01 Image format / tools

Post Posted: Nov 28, 19 18:41

- JimC
This has nothing to do with if this technique would be useful or why it may help - rather it boils down to a limitation in the E01 format.


Sorry, but I am not following (or I am not understanding) you.

It seems to me like being "out of scope" for the format, or at least I am understanding "limitation" as something that should be there but isn't. Confused

The only reason (AFAIK/AFAICU) why you image (with a "plain" dd) in reverse is when - for *whatever reasons* - imaging forward doesnt' work/doesn't proceed (i.e. you have somehow defective media in your hands).

This implies that there are very good chances of missing/unreadable (filled with 00's in the image) sectors, so - provided that the idea of an E01 is to have a hashed (and rehashable) exact, complete, "perfect" image of the source "as is" - it doesn't seem to me like a "limitation".

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

JimC
Senior Member
 

Re: E01 Image format / tools

Post Posted: Nov 29, 19 08:59

- jaclaz
It seems to me like being "out of scope" for the format, or at least I am understanding "limitation" as something that should be there but isn't. Confused


Yes, that is now my understanding. I (wrongly) assumed E01 could be used to directly store a reverse image. After more research, it looks like it cannot because of the inherent assumptions/limitations in the format. These could be worked around by creating a raw image first or by a lot of data processing but underneath the fact remains E01 must store data in ascending sector order and, apparently, does not store the starting sector inside the image. I'm surprised I didn't spot this until now but everyday you learn something new.

Jim

www.binarymarkup.com  
 

Page 3 of 3
Page Previous  1, 2, 3