Working with Expert Witness Format

For the duration of the following post we are going to be using the nps-2008-jean image file to learn a few things about working with evidence files in the (E01) Expert Witness Format.  That image file can be downloaded here.  You need to download both files nps-2008-jean.E01 and nps-2008-jean.E02.  The reason we need both is because they are both part of the same image.  When creating an image file many pieces of software, by default, will split the files into 2048 megabyte sections, naming them consecutively (E01, E02, E03, and so on).  This makes them easier to transport.

When an Expert Witness Format image file is created using any of the tools listed in the previous post an MD5 hash value of the original drives data is created.  That hash value is stored in the image file itself.  The Expert Witness Format has built in checks that confirms the original data is not corrupted.  It also allows for compression and encryption.

$ img_stat nps-2008-jean.E01
IMAGE FILE INFORMATION
--------------------------------------------
Image Type: ewf

Size of data in bytes: 10737418240
MD5 hash of data: 78a52b5bac78f4e711607707ac0e3f93

Using the img_stat tool that is part of the Sleuth Kit we can learn a few things about the file itself most of which is self explanatory.  This image if stored in the Expert Witness Format, is 10737418240 bytes (or 10 gigabytes).  And this tool also displays the MD5 hash value of the original data (which is contained inside of the E01 file container).  Notice that the response from this command is almost instant.  That is because the command is pulling the hash from the data.  Not calculating the hash value.  If we were to hash the actual image file itself the hash will be different.

$ md5sum nps-2008-jean.E01
647f22836426e071d8e1ccac6da54baf  nps-2008-jean.E01

The reason for the difference is because you are also hashing the container (check-sums and all).  So how can we confirm that the original data has not been corrupted or damaged?  One option is to use the img_cat command (part of the Sleuth Kit) to output the original data.  Then, with Linux, we can pipe that output to the md5sum command to calculate the hash like this:

$ img_cat nps-2008-jean.E01 | md5sum

78a52b5bac78f4e711607707ac0e3f93  -

In this example the | stands for pipe, allowing the output of the img_cat command to be seen by the md5sum command.  If you were to use the command img_cat nps-2008-jean.E01 without the other command options you would be telling the computer to dump all of the raw data directly to the terminal that you are working in.  For this image file that isn't a problem but if we were working with something 500 gigabytes or 2 terabytes you may find your computer unexpectedly crashing and burning.  Avoid this.