A standard procedure for any forensic investigation is to make a secure copy of the disk to be examined. The most common formats include a straight sector by sector copy, or in Unix terms ‘DD’. The second format is the EWF, Export Witness Format that has been adopted by Encase and is often referred to as .E01. Another format that may be encountered for a Unix system is the VM Ware, Virtual Disk Format. They all have their uses, and advantages, but all three are supported, read only by CnW Recovery software
DD format
DD format is the simplest imaging format. Each sector (or block) read is stored in sequence in a single file. It is therefore logically a copy of a physical device. It can be read by many programs, with no overheads. However, also there is no checking, so areas could be changed and not detected, unless a sumcheck, such as MD5 has been saved elsewhere.
CnW disk image is basically a DD image, but uses certain codes to indicate unread sectors. CnW will read a standard DD image
E01 Format - or EWF
Expert Witness Format has been adopted by Encase software, and hence become an industry standard for forensic disk images. Unlike DD, there is an element of description and comprehensive error checking. Disks may be imaged into a single file which if uncompressed will be slightly larger than the original disk size. Optional compression can be used which will reduce the size - the amount depends on the disk data as text will compress well, but images and video will not compress. The encase file can be a single file, or split into multiple files. Spliting was useful when it was common to store images on DVDs.
To read an E01 file, special software is required. The forensic version of CnW will read such files.
Virtual Disk Format
The VM Ware virtual disk format is probably most common with Unix based systems. As in E01 it does require special software to read it. One main aspect that makes it different to the formats listed above is that it need not be a complete image, but instead it is a sparse image. This means that only used sectors are saved, and so for a lightly used disk, the working image may be considerably smaller than the original disk capacity. The image can also be built up in sections as it is all controlled by a series of pointers stored at the start of the file, in a method not dissimilar to FAT32 - but on multiple levels.