Home > Computer Forensics > How to create .E01 images in HELIX

How to create .E01 images in HELIX

EnCase Forensic Edition

One of the issues I’ve come across in computer forensics is the lack of documentation for certain tasks I want to accomplish. For example, HELIX 3 Pro has the ability to create images in both RAW and EnCase 4, 5, and 6 format. However, if you try to select the EnCase formats, you may not be able to complete them as such, only in RAW. It’s almost as if EnCase needs to know that you have a working copy of EnCase in some way, shape, or form.

I have versions 6 and 7 (Forensic edition) loaded on my laptop. So again, how to associate one with the other?  The easiest way I’ve seen it done is to go through the motions of creating a boot disk for LinEn in EnCase and appending it to an ISO of HELIX 3 Pro:

  1. Launch EnCase (only 4,5, and 6 will work for this until HELIX updates to allow for 7). Choose Tools > Create Boot Disk.
  2. Choose ISO as the destination and click Next.
  3. In the Formatting Options dialog box, ensure that Alter Boot Table is selected, the Image Path points to the directory where you have your original HELIX ISO, and the Destination Path points to a directory that houses a new altered ISO of HELIX that you will name. Click Next.
  4. The LiNen executable is usually found in the root directory of EnCase. Therefore, in the Copy Files dialog box, right click under Name (right hand pane) and click New. Browse to the location of LinEn (example C:\Program Files\EnCase6\linen). Click Finish, and EnCase will start to create your new and improved ISO.
  5. Once you get into HELIX, you should be able to select EnCase 4, 5, or 6 as the output format. I only have 6 so that limits my options personally.

Hope this helps 🙂 If you have any questions, feel free to shoot me a message.

  1. Saul
    April 20, 2016 at 7:54 PM

    Hoy can I get only one file.001, with the whole image, because I get mant files of file.002, file.003, file.00n, each once of 2 giga bytes

    • Jen
      November 7, 2016 at 3:40 PM

      Each file is split up into about 2GB worth of data. If you want one file you have to change the settings in HELIX so that it doesn’t segment out the files.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: