November 30, 2011

RAW images can be created by different forensic products with various file extensions like .DD or .001. I use HELIX sometimes for evidence acquisition, and it defaults to .001 and up for every 2 GB image file it creates. Viewing these HELIX-created files in EnCase wasn’t a successful venture for me for a while now. Now, I figured out why, and hopefully this will help other digital forensic analysts out there who are having the same issues.

If you try to open a RAW image file in EnCase, you have a few choices of how you want to open it (Disk, Volume, CD-Rom, etc.). Easy enough. In my example, I had two NTFS partition images (created in HELIX)  from the same drive that I wanted to add to my case as seperate Volumes. However, if you’ve ever tried adding the component files starting from the .001 beginning point (sequential order), you’ve probably run into the issue I did, which is EnCase not recognizing the files and adding them as a single file only.

Here’s my protip: Add the files in reverse order. Let’s say my last file has the extension .027. Click on that file, hold down the Shift key, and then click on the .001 file. This will highlight all the files in between and will successfully add in the files into an EnCase-approved file structure into your case. Now you’re ready to begin your forensic examination.

Sidenote: It would have been nice to have seen these instructions in the EnCase documentation, but I did not see them anywhere.

And if you already knew how to do this, then I bow to you, digital forensics guru 🙂

