Create 'dd' image file from EnCase evidence and redact certain files

***Updated verion 1.1 - Sanity checking on deleted, overwritten files, files with invalid clusters and folders

This project started out as a request from a blog reader where they were ordered to provide a copy of an evidence file to another party, but redact certain files. He had already figured out a way to do this with a 3rd party tool, but wanted to dump a text file of the offsets and lengths of the files that were selected so they could be read by a 3rd party tool and then some automated wiping could take place.

Back in July of 2007, I released an EnScript to make a 'dd' image file from an EnCase evidence file (original post is here). I started thinking about how easy it would be to incorporate that feature to that EnScript. An hour later, here is a modified version of the original "export to dd image" EnScript, with the ability to redact selected items.

Basically the way it works is that you load up one piece of evidence and then select any item(s) you want redacted. You can select anything, including unallocated space, which will then be written as all zeros in the 'dd' image file. The selected filename and metadata are all maintained, just the data contents are redacted. Check the console for some logging information.



Now this obviously has some interesting uses, with the most obvious being why I originally set out to make this EnScript, but after working on it and playing around with it, I came up with several other very useful uses, especially when making example evidence files for students. The cool part is you can load up an evidence file, select unallocated, and then when its done, load up the 'dd' image file and then quickly reimage and the resulting evidence file is much smaller since the wiped data is stored as sparse data. So when working with sample evidence files where the pagefile, unallocated or other files are not needed, you can quickly wipe them out and reduce the overall size of the evidence file significantly.

Before (now you see it):



After (now you don't):


All other files remain intact and all other individual file hash values verify between the original and the 'dd' image.

Download Here

Export EnCase evidence file to DD image

I had a need to convert an EnCase image file to a DD image. There are several ways to do this, but many require using 3rd party tools or restoring the original drive. So I wrote an EnScript that can do it natively within EnCase preventing me from having to use 3rd party tools.

Wen you run the EnScript, it will write the DD image to your default export folder (so remember to set it correctly) and name it the same as your evidence. Obviously, the normal rules apply of writing a file out to a file system that has size limitations (FAT), so consider that when exporting your DD image and use the appropriate file system that can deal with large files. I may add the ability to "split" the files in the future.

Speed is not blazing fast, but it works.. ;) You can estimate about 1GB per minute for an average computer system.

One exported, the MD5 hash of the DD file should verify with any 3rd party tool to be the same as what EnCase reports. MD5 reported by EnCase:



MD5 reported by WinHex on exported DD file:



Download Here

Tested in EnCase v6.5