Forensic images: E01 and dd
«I made a copy of the disk» means nothing. Copying files skips unallocated space, hidden partitions and bad sectors, and it changes dates. A forensic image is something else: a sector-by-sector transcription of what is on the medium — including the regions the operating system considers empty.
A copy and an image are not the same thing
When you drag a folder from one disk to another, the operating system reads the files through the filesystem. It sees what the filesystem declares: existing files, in their current versions. It does not see the contents of deleted files, often still physically present. It does not see the gap between the end of a file and the end of its last sector. It does not see the drive's reserved areas.
A forensic image bypasses the filesystem and reads the device block by block. The result is a file containing everything, in the order it sits on the medium — including regions no filesystem claims.
Two formats, two philosophies
E01 (Expert Witness Format)
Born with EnCase and now the de facto standard. It is a container: inside sit the sectors compressed in chunks, but also a header with the acquisition's metadata — case number, examiner's name, dates, software used — and, at the end, the hashes computed by the acquisition software as it read.
There is also an error2 section listing the sectors the drive failed to return. A dying disk has thousands. An honest image declares them; a copy made with cp simply stops, or fills them with zeroes without saying so.
Probatio recognises the three header variants: EVF, LVF (logical images) and EVF2, the most recent generation.
dd / raw
No container, no compression, no metadata: the disk, as it is. A dd image of a 2 TB disk occupies 2 TB, even if the disk is nearly empty.
The advantage is absolute transparency: any tool reads it, thirty years from now included. The drawback is that everything we know about that image lives outside the image. Lose the report, and anonymous bytes remain.
The double verification
Here lies the forensic value of the E01, and it is worth understanding properly, because these are two distinct comparisons answering two different questions.
Probatio recomputes the hashes by rereading the logical stream — the decompressed sectors in their original order — and compares them against those stored in the E01, in MD5 and SHA-1, the algorithms the format provides for.
It also accepts an expected hash, the one you transcribed from the seizure report, in MD5, SHA-1 or SHA-256. That second comparison is the only one demonstrating anything about provenance.
Had the image been remade from a tampered disk, its internal hashes would match perfectly: they would have been recomputed by the acquisition software over the tampered content. Does the report's hash, written years earlier, also match? That is another story.
Bad sectors
A dying disk returns read errors. Acquisition does not stop: it marks the sector unreadable, fills it with zeroes and moves on. The E01's error2 section preserves the list, and Probatio sums the sectors involved.
That number belongs in the report. It is not a defect of the acquisition: it is a property of the exhibit. An image with four thousand unreadable sectors remains perfectly valid — but if the file that interests you falls inside them, you need to know that before drawing conclusions about its content.
MD5 and SHA-1 in an E01: a problem?
No, and it is worth being precise, because the question comes up every time. The E01 format stores MD5 and SHA-1 because it was designed when those were the standard. Forging a forensic image by exploiting MD5's weakness would require a second preimage — finding a second, different disk with the same MD5 — and nobody knows how.
The known MD5 collisions require building both files. They do not apply to an exhibit already acquired and recorded. That said, the hash you write in today's report should be SHA-256.
What Probatio does not read
- AFF4 is not supported. The format exists; it is not handled.
- Non-EWF raw formats are treated as dd: if your tool produces a proprietary container, convert it first.
- Probatio does not mount the image and does not interpret its filesystem. It verifies the container's integrity and extracts its metadata: a different task from analysing the contents.
In practice
- Record the hash at the moment of seizure, not afterwards. A hash computed months later over the image proves only that the image has not changed since you computed it.
- Prefer E01 over dd when you can: metadata and hashes travel with the exhibit, and it compresses.
- Always report bad sectors, even when they are zero. The absence of that line is itself missing information.
- Work on copies. A forensic image is an exhibit: duplicate it, and analyse the duplicate.
- Keep the image and its report together, and consider sealing both in a BagIt bag with a timestamp.
A forensic image is a photograph of a medium at one instant. Like any photograph, it is worth what it shows and what the person who took it is trusted for. Hashes exist to make that trust checkable.