It is not uncommon that source evidence drives and their images may be involved in a long-running investigation case or wait to be presented in court for months or even years. Data stored on hard drives or image files may get corrupt over time. That is why an investigator may need to ensure the integrity of data on these devices or image files before resuming to work with them or presenting them in court. Over the years, E01 file format has become a popular format for forensic purposes due to its ability to store not only the physical or logical copy of the source drive, but also case and evidence details. E01 file can also contain both MD5 and SHA-1 hashes. And it is considered a good practice among forensic specialists to calculate both hashes while imaging the evidence so that they are included in the E01 file. To view the hash calculated for an E01 file with Atola Insight Forensic, open the file by pressing the Plus icon in the port bar and then selecting E01 image files (*.E01) file extension in the drop-down menu to view existing files with this extension.
In the Home page look through the File History and click on the Imaging target link.
This will open an Imaging targetreport, at the bottom of which you will be able to see both hashes calculated during the imaging session.
You may leave this window open or save the report as a pdf file to compare the hash with the newly calculated one later. Then go to Calculate Hash page in Hashing category of the left-side menu and select Linear in Hash method drop-down menu and MD5 and SHA-1 in Hash type drop-down menu.
Once the hashes have been calculated, you can make sure that the two sets of hashes are identical.
While physical imaging involves sector-for-sector copying the whole evidence drive from the first LBA to the last one, logical acquisition implies bit-for-bit copying of the file structure. Logical acquisition is handy, when time is limited and you need to quickly start working with the file structure. At the same time, logical image does not include remaining fragments of previously deleted files, which makes this imaging method incomplete. On top of that, hash values of the source and the target will not be identical. Therefore, for profound investigation, it is still preferable to use a physical image. This guide will show how Atola Insight Forensic's flexible imaging functionality enables users to perform selective logical imaging. In the Imaging category of the left-side menu there is I want to image drop-down menu, where you can select All sectors with data or All sectors with metadataoptions.
When you choose All sectors with data, you can image the whole system structure of the drive including folders and files, while omitting the areas with no data or fragments of previously deleted files. By going for All sectors with metadata option you can image the system structure without data within its files (e.g. MFT in NTFS) for file browsing and selecting specific files to be imaged in full. For more information on this please watch this video guide: Benefits of Imaging Metadata. When you select either of these two options, imaging log adds a message about the partitions Insight has been able to find.
Once imaging is complete, you can view the structure of the logical image you have obtained by clicking Analyze target image. This will open the Target port. [list=1] [*]ClickScan partitions button [*]Select any of the imaged partitions you want to [*]ClickOpen partition button [/list]
In our example, we have imaged all sectors with data, and the partition we open contains the file structure and files, which we can explore, open and analyze.
For car electronics, car audio systems, car upgrades, and other cool auto stuff check out -Â http://bit.ly/2iNww6p We have a busy day here at the shop, we install a GPS Tracking system, get yet another harley davidson up and going and install a Clifford Alarm!