Export EnCase evidence file to DD image
I had a need to convert an EnCase image file to a DD image. There are several ways to do this, but many require using 3rd party tools or restoring the original drive. So I wrote an EnScript that can do it natively within EnCase preventing me from having to use 3rd party tools.
Wen you run the EnScript, it will write the DD image to your default export folder (so remember to set it correctly) and name it the same as your evidence. Obviously, the normal rules apply of writing a file out to a file system that has size limitations (FAT), so consider that when exporting your DD image and use the appropriate file system that can deal with large files. I may add the ability to "split" the files in the future.
Speed is not blazing fast, but it works.. ;) You can estimate about 1GB per minute for an average computer system.
One exported, the MD5 hash of the DD file should verify with any 3rd party tool to be the same as what EnCase reports. MD5 reported by EnCase:
MD5 reported by WinHex on exported DD file:
Download Here
Tested in EnCase v6.5
ShareThis
Posts
3 comments:
Looks like a useful script.
all in one solution.
Saves using ftkimager and then having to join the segments , or having to have a pc with linux so that you can use ewfexport
It will be great when you can finally add a split function. There's too much risk in making one giant file.
Could you give a general idea of how this works? Which commands allow you to read from the disk without reference to a file?
Post a Comment