E01 import now in Oxygen Forensic® Detective!

What is a e01 file?

The e01 (Encase Image File Format) file is a forensics disk image file that keeps backup of various types of acquired digital evidence. It was originally developed by EnCase® Forensic, a forensics software application. Then other companies started using it in their products, leading it to become common place. In other words, an e01 file is an encrypted and compressed raw file.

E01 files are generally used for storing extracted and parsed data by digital forensics, cyber security, and e-discovery products. They are also often used in some judicial settings for preserving and presenting digital evidence.

E01 PC disk and phone images are now supported in Oxygen Forensic® Detective.

Import of e01 PC disk images

Encase images of PC disks can be imported in Oxygen Forensic® Detective. The data is parsed via Oxygen Forensic® KeyScout, our built in and deployable tool designed for extracting and analyzing PC data.

In order to extract and analyze data from e01 disk images, open the home screen of Oxygen Forensic® Detective. Find Desktop extractions within Import section and click on Drive image.

Import Wizard will open, there, investigators can select the advanced import settings for the image. 

Once investigators press the Import button, Oxygen Forensic® KeyScout is launched. Press the Start Search button to start parsing data from the imported e01 image. 

Parsed artifacts are displayed during the scanning in real time within the KeyScout window. Investigators can then review the data and select the artifacts to include into the final extraction. 

Once the extraction is complete, click on the Save button, and the parsed e01 image will be opened in Oxygen Forensic® Detective. Depending on the e01 image and what is selected, the evidence set could include data from the most popular messengers, web browsers, email clients, as along with app credentials and tokens. 

PLEASE NOTE: Only e01 images of NTFS file system are currently supported. NTFS is a proprietary journaling file system developed by Microsoft, which is the default file system of the Windows NT family, starting with Windows NT 3.1. Considering that Windows OS market share is 88.14%, e01 disk images of most PCs will be supported. However, we are working on adding support for macOS and Linux operating systems as well.

Import of e01 Android images

Other e01 files that can be imported into Oxygen Forensic® Detective are the physical images of Android devices. An e01 file can be selected at the import of Android Physical image. Its data will be parsed and analyzed by Oxygen Forensic® Detective and then displayed on the extraction main screen, similarly to all the other extractions of Android physical dumps. The evidence set will include app data, files, contacts, messages, calls, deleted information, and other artifacts.

Leave a Reply

Your email address will not be published. Required fields are marked *