Home > Computer Forensics > Image compression in EnCase and what it really means

Image compression in EnCase and what it really means

It’s often said in the digital forensics world that a RAW image can be seen as more “reliable” as other image types, such as the EnCase .E01 format. The reasons usually given include:

  • The RAW Image Format is basically a bit-for-bit copy of the RAW data of either the disk or the volume, without any additions or deletions.
  • The RAW Image Format was originally used by dd, but is supported by most of the computer forensics applications.
  • The RAW image is uncompressed.

It is true that an EnCase image can be smaller than the actual drive size, or by comparison, to an image taken of the same drive in RAW format. There is no data loss, however; the reason why EnCase can give a smaller image is because it by default it compresses the image to save space. All data in each bit of the original drive still exists. And, EnCase also stores metadata, which isn’t something a RAW image includes by default (although there are cases where metadata can be stored in secondary files).

I performed an experiment on a 150 GB drive, where I first created a RAW image in HELIX (same resulting file size of 150 GB), then an EnCase image which was compressed down to about 60 GB by default. Then, I acquired the image again in EnCase, unchecking all compression options. The second EnCase image was 150 GB. Bit for bit, it was a mirror copy of the HELIX  RAW image, only with inclusion of the metadata.

I’m sure this is old hat to a lot of forensics folks out there, but for the newbies starting out, it’s a pretty handy concept to know 🙂

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: