Why is it important to know when you should create a RAW over an EO1 format and how do you
decide what to use? What do you think are two of the most important deciding factors in
choosing the file format?
RAW file is a flat, uncompressed, bit-by-bit copy that contains only the data from the source
disk. There is no metadata or heading within the image file and some tools may include the
metadata as a seperate file. The RAW file allows the image to be used with complatible forensic
tools, used by other vendors, and different techniques.
E01 is the file extension used by Encase and is based on Expert Witness Format (EWF)
(Source). EWF files are a kind of disk imaging that capture and "freeze" the contents of storage
devices. They are called evidence grade because of the embedded metadata. E01 has a
header/metadata within the image and incorporates a file integrity check calculation.
I think the two deciding factors with each format is determining the difference between using
RAW vs E01, whether incorporating metadata is needed, and what is needed during the
forensic investigation.
Reference:
Vandeven, S. (2014, September 15).
Forensic Images: For Your Viewing Pleasure
. SANS.
Retrieved May 21, 2023, from https://www.sans.org/white-papers/35447/
Expert Witness Disk Image Format (EWF) Family
. (n.d.).
https://www.loc.gov/preservation/digital/formats/fdd/fdd000406.shtml#:~:text=EWF%20files%20
are%20a%20type%20of%20disk%20image%2C%20a%20format,discs%2C%20or%20USB%20
flash%20drives.
SWGDE Best Practices for Computer Forensic Acquisitions
. (n.d.). SWGDE. Retrieved May 21,
2023, from
https://leocontent.umgc.edu/content/dam/course-content/tus/ccjs/ccjs-421/document/2018-04-2
5%20SWGDE%20Best%20Practices%20for%20Computer%20Forensic%20Acquisitions.pdf
