DME Forensics Blog

Forensic Images for DVR Analysis - E01 or DD

Many computer forensic examiners utilize the E01 forensic image file format to store bit for bit copies of hard drives used in their examinations. It is the default imaging option for many computer forensics tools and has become a defacto standard of sorts.

While somewhat lesser known, the raw image file format also produces a bit for bit copy of the contents of a drive. This format is often referred to as the DD format due to the tool which originally generated such images.

There are two main differences between the two formats. First raw image files do not contain any metadata. They are simply an exact raw copy of the original data. Secondly, E01s natively support compression which typically results in a much smaller image file size.

At face value, E01 seems to be the superior format. It offers additional metadata and space savings, so what isn’t to like? As you'll see, for those of us examining hard drives from DVRs, using E01s may not be the best choice.

Traditional Computer Hard Drives vs. DVR Hard Drives

Think for a moment about a typical computer hard drive that might be subjected to computer forensics examination. Among other things, an examiner is likely to encounter two things: free space and compressible data (high quality pictures, videos, etc).

Now consider what is typically contained on a hard drive from a DVR. First, there is usually little to no free space. The devices generally run 24/7 and overwrite themselves constantly. In addition, the data recorded is heavily compressed (with lossy technologies like H.264 and JPEG).

Effects of Compression in E01

Lossless compression (the type used in E01, ZIP, and many other applications) does a great job of offering the ability to save space while being able to recreate the original data exactly. There are two issues, however. First, if the original data is already compressed, the space savings won’t amount to much. More importantly, the process of compressing/decompressing isn’t free – there is overhead associated with it. This will mean less performance. That loss in performance might be worth it if you are achieving 50% space savings, but if your drive is full of already-compressed data, your space savings won’t come close to that number.

Experiment

Let’s do a short test to illustrate the above points. We’ll use a 500 GB 7200 RPM Western Digital SATA hard drive (approximately 466 GB of actual capacity). This particular hard drive was utilized in a real world DVR and was entirely allocated (full).

The destination hard drive for imaging/searching was an empty 1TB 10000 RPM Western Digital SATA hard drive. This is one of the fastest spinning disks on the market, so your results may vary depending on your hardware.

The test hard drive was imaged using AccessData’s FTK Imager in an unsegmented E01 format using the default compression setting (“6”). The imaging process completed in about 1 hour and 27 minutes. The resulting image file was approximately 434 GB yielding a savings of about 32 GB (a little less than 7%).

The E01 image was loaded into FTK Imager and a search for the (not present) ASCII text string (“UNFINDABLE”) was performed from the beginning of the first sector. The search process completed in approximately 1 hour 53 minutes.

The destination hard drive was formatted between tests in order to avoid any possible effects of fragmentation.

The test hard drive was imaged using AccessData’s FTK Imager in an unsegmented raw DD format. The imaging process completed in 1 hour 24 minutes. With no compression, the resulting image was obviously 466 GB.

The DD image was loaded into FTK Imager and a search for the same ASCII text string was performed from the beginning of the first sector. The search process completed in approximately 1 hour 6 minutes.

Results

Filetype Time to Image Space Savings Time to Search
E01 1:27:06 32 GB (7%) ~ 1:53:00
DD 1:24:44 N/A ~ 1:06:00

Obviously the time to create the image was about the same, and we didn’t save much space (less than 7%) by using E01. Looking at the searching performance numbers however, you’ll notice that our searching was about 42% faster by utilizing the raw DD format over E01. That was just on one search, so if you are doing a lot of analysis on this data, that performance increase can really make a difference over the course of the examination.

These tests don’t take into account segmented image files. Segmentation (whether in E01 or DD format) does introduce some amount of overhead. We may explore this difference in a future blog post, but in short, you’ll see a slight performance by using unsegmented image files whenever possible.