Product Navigation

Repair & Recover E01 File (Encase Legacy Evidence File)


This article is an effort to make users understand What is E01 File, its File Structure, its basic usage & ways to Restore & Recover E01 File for an easy access to all the acquisition.

What is Encase E01 File or Legacy Evidence File

E01 File or Legacy Evidence File is basically a byte-representation of a Logical Volume or any Physical Device. The current Version of Encase File is .Ex01 which can be encrypted easily.

EnCase legacy evidence file generate meta-data for forensic purpose to Recover E01 File, the device level hash value, and the content of an acquired device. You can simply Drag & drop .Ex01 or .E01 Forensic Imager GUI to add the file to Open Case in the Forensic Imager. This E01 file format provides an easy platform to access all the acquisitions to EnCase Forensic Imager legacy version.This article gives you an overview to repair e01 file to recover Encase Legacy File.

restore e01 file

Logic Behind to Repair E01 Files

This E01 file can be considered as a backup of acquisitions or digital evidence to Recover E01 File. A stream of data is produced whenever an investigation Expert or official makes use of Encase to generate a backup of data present within the hard disk. This process of creating Images corresponding to data is known as Disk Imaging procedure is known as Disk Imaging. Encase splits up the data file after every 640 MB of Storage. This is the reason behind the creation of E01 files. But the most interesting feature is after every division of data the file name remains same but the file extension changes.

For Instance, if the first file is Created with name abc.E01 after 640 MB another file is created with name abc.E02, abc.E03, abc.E04, & so on.

rebuild E01 file

Note: Though the file extension changes after crossing a limit of 640 MB (i.e abc.E02, abc.E03, abc.E04, & so on.) but the internal structure of the E01 file remains unchanged hance you can easily perform to repair e01 file

Structure of E01 File

Understanding the structure to repair e01 file is necessary for effective Recovery.The e01 image file format begins with a Case Information header.After every section of 32 KB block, there is a CRCs (Cyclic Redundancy Check).

repair legacy evidence file

The Structure of E01 file basically consists of 4 parts:

  • Header – The header portion of the e01 encase image mainly consists of Case Information. This information posses: -
    • Name of the Person (or the Investigator)
    • Details of Actual Case Name
    • Description of media
    • Date/time information of Image File
    • Encase Version
    • OS Installed
  • CRC– Stands for Cyclic Redundancy Check. It is a code used by the Encase to check for any changes in the original E01 File to repair e01 file . Generally, this code created by the software during the starting of the acquisition and stored. When this code is scanned later & E01 encase image is calculated . If this new calculated CRC code and the previously stored CRC matches, then the data block is error – free else, some data manipulation has occurred.
  • Data Blocks – The E01 file (Encase legacy evidence Image File) contains data chunks to check for the occurrence of any kind of error 7 check to Recover E01 File.
  • Footer –The footer of the E01 file contains an MD5 hash value of the entire imaged data. This MD5 hashing determines the amount of the file that has been tampered or modified & helps to repair e01 file .

Repair E01 File using Libewf & Ewfacquire

Repair E01 File using Libewf

Libewf is basically a library which allows accessing EWF or Expert Witness Compression Format & helps to repair e01 file. This is an open source Library consisting of utilities published by Jachim Metz. It allows to read and write EnCase legacy evidence file E01 version 6 and 7. Libewf supports both E01 File that may be compressed or uncompressed. It also supports uncompressed Ex01 too. This Libewf library possess diverse utilities that help to create images.

Repair E01 File using Ewfacquire

Ewfacquire is another utility that aids to Recover E01 File, acquire & write data to a single file which also helps to split Evidence file format E01 files within EnCase. It can acquire information logical as well as physical disks files. It supports the Latest version Ex01 uncompressed format. Ewfacquire is beneficial for converting images to any other formats, for instance, an Ex01 image can be transformed E01 image. Thereby, helping to use newer Ex01 format within tools that does not support this version. This Ewfacquire utility has built-in help that can be accessed with the command

$ ewfacquire --help or $ man ewfacquire

To Convert EWF into format :

ewfexport image.E01

To verify images in group within subdirectories & create log file per image.

find . -name \*.E01 -printf '%f %p\n' | xargs printf "ewfverify -l \$(basename -s .E01 %s).ewfverify.out %s\n" | sh

Conclusion

This E01 file is a fundamental disk imaging source and has currently grown as a very peculiar medium for forensic investigators to find out the acquisitions available on the local disk that may later be examined and analysed. This article is an effort to recuperate & repair E01 file to recover Encase Legacy Evidence File.