EnCase Evidence File Format

The EnCase evidence file is often called the image file. This is a carryover from the original imaging methods that had their roots in the Unix dd command. In Linux or Unix, everything is a file. Thus, a device, such as a hard drive, can be addressed as a file. Using the dd command, you can copy one hard drive onto another hard drive with the apparent ease of copying a file, although the process certainly takes longer. The copy produced can be a stream of data sent from the original drive to the copy drive, with the end result being two identical drives, assuming the copy drive contained the same number of sectors. Alternatively, you could direct the copy to an actual file instead of a device. The end result of this ...

Get EnCE EnCase Computer Forensics: The Official EnCase Certified Examiner Study Guide, 3rd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

EnCE EnCase Computer Forensics: The Official EnCase Certified Examiner Study Guide, 3rd Edition by

EnCase Evidence File Format

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly