In recent years, E01 file format has become the de facto standard format for forensic purposes due to its ability to store not only a physical or logical copy of a source drive, but also case and evidence details. E01 file can also contain both MD5 and SHA-1 hashes. And it is considered a good practice among forensic specialists to calculate both hashes while imaging the evidence so that they are included in the E01 file.
To image a source evidence drive to an E01 file you have to add a new target file.
Selecting a new E01 file
1. In Imaging category of the left-side menu you can click on Create New Session link and in the Target Device Selection window click on Add Image File link.
2. In the Image File Selection window select E01 file extension in the drop-down menu to create an image file with this extension and type the name you prefer in the File Name field.
3. Fill out all the relevant fields in the Image File Options window (you can also do it later in the Home page of the file when it is created):
4. Click on Select button in the Target Device Selection window.
As a result you get is an E01 file with current 0 bytes capacity created (its final capacity will be defined by the amount of imaged data it contains plus the metadata).
Imaging & calculating the hashes
- Go to Imaging category of the left-side menu and click on Create New Session link
- In Preset line click on the Show settings link
- In Passes and Hash tab check the Hash source during imaging box
- In Hash method drop-down menu select Linear
- In Hash type drop-down menu select MD5 and SHA-1
- Click on Start imaging button
Upon completion of imaging, you will see both MD5 and SHA-1 hashes indicated in Imaging Results page:
The post Imaging a Source Drive to an E01 File with a Double Hash appeared first on Official Atola Technology Blog.