How to Mount E01 Encase Image in Windows
How to Mount E01 in Windows Quickly
The most significant tool used for forensic is Encase Forensic tool, which has been launched by the Guidance Software Inc. E01 (Encase Image File Format) is the file format used to store the image of data on the hard drive. It is necessary to understand about the file before understanding the process to mount E01 in windows. It is the file that maintains the backup of different types of digital evidence such as disk imaging, storing of logical files, etc. However, a physical bitstream of the data is produced when a forensic expert or an investigator uses EnCase to backup the data stored on the hard disk. This process is commonly named as Disk Imaging.
In order to better understand the relation between Encase and E01 image file format, create an image of data available on the hard disk. Further, Encase divides the complete data into the chunks of 640 MB data due to which multiple data file are created. However, the name of files remains same but the file extension changes, for example, S01.E01, S01.E02 and so on. It means the file extension gets changed after exceeding 640 MB limit without affecting the internal structure.
As it is important from the forensic point of view and produced by the Encase Forensic Tool, therefore, it becomes the necessity of an investigator to mount E01 in Windows to open it. Hence, in this article, method of how one can mount E01 image file or mount encase image windows is discussed.
Smart Solution: E01 Viewer tool helps to open and read E01 image files.
Need to Mount E01 in Windows
Mounting an E01 file is one of the most important tasks performed by the investigators. Whenever a forensic expert needs to examine any digital evidence in Encase image file, it becomes very important for him to mount the file on any platform such Windows. As, Encase forensic tool creates the backup of data on hard disk in image form, therefore, in order to access the backup files, one needs to mount it on any version of Microsoft Windows. Another case is when a user receives a file with .E01 format, he needs to mount E01 in Windows to access it.
How to Mount Encase Image File (E01) in Windows
There are no native means to mount E01 in Windows is available. Therefore, one needs to use various free tools available to mount E01 file in Windows. Here, we have discussed manual steps of free tool to mount E01 in windows i.e. FTK Imager and Virtualbox.
Pre-requisites for Mounting E01 file
- Must have FTK Imager installed on machine before you mount E01 in windows
- Install Virtualbox and Virtualbox expansion pack on your system.
- A user must have the admin right to mount E01 file.
Steps to Mount Encase E01 File in Windows
1. First, open FTK Imager and navigate to Image Mounting
2. After that, choose the E01 image that a user want to mount
3. Now, click on Mount button and see with which physical drive the image is mapped
4. Then, create a new folder and open command prompt as administrator
5. Type c:\Program Files\Oracle\VirtualBox and press Enter
6. After that run the command mentioned below to mount encase image windows :
vboxmanage internalcommands createrawvmdk -file_name c:\temp\securityisfun.net\securityisfun.vmdk -rawdisk44 \\.\physicaldrive3
7. Now, execute the Virtualbox as administrator and create a new virtual machine that matches the OS of the image
8. Start and run the virtual machine now
9. If a user gets a blue screen again then, try to change the HDD controller type, which is IDE by default, to SAS, SCSI or SATA. One can change this by changing the settings of the virtual machine as mentioned below:
- First, delete the existing HDD controller.
- Now, add a new controller e.g. SAS
- After that, add a new disk and select Choose an existing disk option.
- Point it to the virtual disk file that a user has created.
10. If a user is still getting the blue screen then, it can be due to Windows could not see the drive. To overcome the situation, try the steps that involve changing the registry to enable other drivers on boot:
- Unmount the image that a user mounted with FTK Imager.
Now, again mount E01 in windows with FTK Imager but now with the different option:
Mount Type: Physical & Logical
Drive Letter: Take the default
Mount Method: Block Device / Writable
It is visible now that the partitions of the image are now mounted and accessible - Now, run regedit.exe command as an administrator
- After that, expand HKEY_Local_Machine option.
- Choose the Load Hive and point it to the SYSTEM hive of the Windows partition of the mounted image
- Then, enter any name such as abc.net when prompted. An additional registry key with the name a user typed appears.
- Go to abc.net\ControlSet001\Services
- Search for LSI_SCSI and click on it
- Then, change the key Start value to “0” (zero) to start or load this driver at boot time
- Exit Regedit and try to boot the virtual machine again to mount encase image windows
Conclusion
Encase Image file (E01) is the most important way of performing the disk imaging task. Now, it becomes a very peculiar and beneficial medium for forensic investigators to backup the data on a hard disk and examined them later. Therefore, to analyze the data from the forensic point of view, it becomes important to first mount E01 in Windows and then access them. Hence, in this, article, the method to mount Encase image windows is discussed that a user can use to perform the mounting task successfully.
FAQs
Q- What is an E01 Encase Image File?
A forensic image file format developed by forensic software such as Encase, FTK imager, etc. is called an E01 file. It includes a copy of the original storage medium, bit by bit, capturing file structures and metadata in addition to data.
Q- Can I Mount an E01 Image Without Forensic Software?
Although forensic software is advised for correct handling, some unofficial tools can have restricted E01 image mounting capabilities. However, using specialized software is advised for forensic analysis and integrity preservation.
Q- Are There Any Risks of Data Alteration When Mounting an E01 Image?
There is very little chance of data modification or alteration when you use reliable forensic tools. These tools are designed to mount images in a read-only mode to ensure the integrity of the original evidence.
Q- What Precautions Should I Take Before Mounting an E01 Image?
To maintain the integrity of the original image file, make sure you have a validated backup before mounting an E01 image. To take advantage of security upgrades and enhancements, make sure the forensic software you are using is up to current.
Q- Can I Mount E01 Images Created by Other Forensic Tools?
Yes, the majority of forensic products support a wide range of forensic picture formats, such as FTK Imager and Arsenal picture Mounter. E01 images made with various forensic tools can usually be mounted.