Forensic images: E01 and dd

«I made a copy of the disk» means nothing. Copying files skips unallocated space, hidden partitions and bad sectors, and it changes dates. A forensic image is something else: a sector-by-sector transcription of what is on the medium — including the regions the operating system considers empty.

A copy and an image are not the same thing

When you drag a folder from one disk to another, the operating system reads the files through the filesystem. It sees what the filesystem declares: existing files, in their current versions. It does not see the contents of deleted files, often still physically present. It does not see the gap between the end of a file and the end of its last sector. It does not see the drive's reserved areas.

A forensic image bypasses the filesystem and reads the device block by block. The result is a file containing everything, in the order it sits on the medium — including regions no filesystem claims.

Two formats, two philosophies

E01 / EWF — a container that knows what it holds header case, examiner dates, software EVF · LVF · EVF2 the disk's sectors, compressed in chunks far smaller than the original, yet the logical stream recovered from it is identical byte for byte stored hashes MD5 SHA-1 written at acquisition error2 the sectors the drive could not read declared, not hidden DD / RAW — the bytes, and nothing else the disk's sectors, uncompressed, from first to last A dd does not know it is a forensic image: it is indistinguishable from any file of the same length. Every piece of metadata — who, when, with what, with how many errors — lives in a separate document, which can be lost.
The E01 carries its own chain of custody. The dd delegates it to a sheet of paper.

E01 (Expert Witness Format)

Born with EnCase and now the de facto standard. It is a container: inside sit the sectors compressed in chunks, but also a header with the acquisition's metadata — case number, examiner's name, dates, software used — and, at the end, the hashes computed by the acquisition software as it read.

There is also an error2 section listing the sectors the drive failed to return. A dying disk has thousands. An honest image declares them; a copy made with cp simply stops, or fills them with zeroes without saying so.

Probatio recognises the three header variants: EVF, LVF (logical images) and EVF2, the most recent generation.

dd / raw

No container, no compression, no metadata: the disk, as it is. A dd image of a 2 TB disk occupies 2 TB, even if the disk is nearly empty.

The advantage is absolute transparency: any tool reads it, thirty years from now included. The drawback is that everything we know about that image lives outside the image. Lose the report, and anonymous bytes remain.

The double verification

Here lies the forensic value of the E01, and it is worth understanding properly, because these are two distinct comparisons answering two different questions.

Probatio rereads the logical stream and recomputes the hashes internal comparison vs the hashes inside the E01 «has the image file corrupted since acquisition?» external comparison vs the hash in the report «is this image the one that was seized?» The first comparison is automatic and proves nothing about provenance: whoever remakes the image remakes its internal hashes. The second is the one that holds up in court, because the expected hash comes from outside.
Only the external comparison binds the image to the physical exhibit. That is why the hash must be recorded at the moment of seizure, not derived from the image months later.

Probatio recomputes the hashes by rereading the logical stream — the decompressed sectors in their original order — and compares them against those stored in the E01, in MD5 and SHA-1, the algorithms the format provides for.

It also accepts an expected hash, the one you transcribed from the seizure report, in MD5, SHA-1 or SHA-256. That second comparison is the only one demonstrating anything about provenance.

Had the image been remade from a tampered disk, its internal hashes would match perfectly: they would have been recomputed by the acquisition software over the tampered content. Does the report's hash, written years earlier, also match? That is another story.

Bad sectors

A dying disk returns read errors. Acquisition does not stop: it marks the sector unreadable, fills it with zeroes and moves on. The E01's error2 section preserves the list, and Probatio sums the sectors involved.

That number belongs in the report. It is not a defect of the acquisition: it is a property of the exhibit. An image with four thousand unreadable sectors remains perfectly valid — but if the file that interests you falls inside them, you need to know that before drawing conclusions about its content.

MD5 and SHA-1 in an E01: a problem?

No, and it is worth being precise, because the question comes up every time. The E01 format stores MD5 and SHA-1 because it was designed when those were the standard. Forging a forensic image by exploiting MD5's weakness would require a second preimage — finding a second, different disk with the same MD5 — and nobody knows how.

The known MD5 collisions require building both files. They do not apply to an exhibit already acquired and recorded. That said, the hash you write in today's report should be SHA-256.

What Probatio does not read

  • AFF4 is not supported. The format exists; it is not handled.
  • Non-EWF raw formats are treated as dd: if your tool produces a proprietary container, convert it first.
  • Probatio does not mount the image and does not interpret its filesystem. It verifies the container's integrity and extracts its metadata: a different task from analysing the contents.

In practice

  1. Record the hash at the moment of seizure, not afterwards. A hash computed months later over the image proves only that the image has not changed since you computed it.
  2. Prefer E01 over dd when you can: metadata and hashes travel with the exhibit, and it compresses.
  3. Always report bad sectors, even when they are zero. The absence of that line is itself missing information.
  4. Work on copies. A forensic image is an exhibit: duplicate it, and analyse the duplicate.
  5. Keep the image and its report together, and consider sealing both in a BagIt bag with a timestamp.

A forensic image is a photograph of a medium at one instant. Like any photograph, it is worth what it shows and what the person who took it is trusted for. Hashes exist to make that trust checkable.