DEVHIDE
Login Or Sign up

How can I convert E01 image file to dd image file?

26.9k Views Asked by At

I'm working on forensics tools and I have Encase E01 type image file. I would like to analyze this image by using other tools. However, those tools such as tsk_recover doesn't accept E01 file type as input. So, I need to convert E01 image file to dd format without any alteration.

dd computer-forensics diskimage
Original Q&A
4

There are 4 best solutions below

0
On BEST ANSWER

tsk_recover (and all of The Sleuth Kit and Autopsy tools) support E01 if you compile it with libewf (http://sourceforge.net/projects/libewf/). If you want the raw image though, libewf has tools to do the conversion and you can use 'img_cat' in TSK to do it (but it requires you to have compiled in libewf).

0
On

You can use xmount to virtually convert the E01 file to a raw image file. You can then already read it as a raw image without actually consuming disk space for the raw image. If you need the raw image as a physical file, you can then just copy the virtual file to where you need it.

Example:

  1. Create a directory for the virtual raw image:

    mkdir /tmp/mnt

  2. Mount the E01 file virtually as a raw image file:

    xmount --in ewf --out raw image.e01 /tmp/mnt

  3. You can now work with the virtual raw image or copy it away:

    cp /tmp/mnt/image.dd /to/somewhere/else/image.dd

  4. Unmount the virtual raw image:

    umount /tmp/mnt
0
On

I personally prefer using the winpmem tool for this.

Syntax is very simple:

"winpmem_v3.3.rc3.exe -i $Source -o $Target --volume_format aff4"

-i=input;
-o=output;
--volume_format=output format

You can convert images into as many as different available memory formats.

While merging files can also be performed:

"winpmem_v3.3.rc3.exe -i $Source1[whatever format raw, dd, etc]  -i $Source2 -o $Target --format raw"
0
On

FTK Imager from Access Data (http://accessdata.com/product-download) is a free tool that can do many things with several evidence file formats (E01, DD, and AD1), including mounting them logically and converting them to different formats.

You can use it to convert an E01 image to a DD image by:

  • Opening the E01 with FTK Imager
  • Right-clicking on the E01 file in the left 'Evidence Tree'
  • Selecting 'Export Disk Image'
  • 'Add' Image Destination
  • Select 'Raw (dd)' in the popup box, and finish the wizard
  • Hit start and wait for it to finish, then you'll have your DD image

Related Questions in DD

Related Questions in COMPUTER-FORENSICS

Related Questions in DISKIMAGE

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.