Understanding All About EX01 File Forensics
Posted: Mar 29, 2020
Summary: This blog states the procedure to open EX01 or forensic E01 files to easily analyse the potential artefacts.
Due to the increasing Internet users, security has also become a major issue to maintain confidentiality and integrity among the users. Moreover, the different steps which are carried out in any cybercrime investigation involve search, collecting, analysing the evidence. However, the collected evidence files must be store in the right file format. One of the majorly used file formats to store the raw images evidence files are Evidence Image File (EX01) and Logical Evidence File (LX01). Now, to analyze the evidential files with speed and accuracy, here we are going to shed light on the proven MailXaminer software.
EX01 File Format
EX01 file forensic (Evidence Image File) is the primary files with extension.ex01 or e01 file forensics which is used to collect and analyze information in digital forensics. It consists of case information like name, date, time and notes. These files are mainly used to protect the evidential facts and help to present evidence in law courts. The EX01 file is basically the duplicate of the contents take out from disk and can be mounted and read through forensics software.
In addition, the forensic E01 file was replaced by EX01 with the release of a new version of EnCase 7 software. The EX01 comes with advanced security attributes such as AES256 encryption, LZ compression, MD5, and SHA-1 hashing. Files with EX01 format can be supported by certain software. They contain data files and media files. That's why, one mist use a software to view these files.
How EX01 Differs From LX01 File Format?
LX01 (Logical Evidence File) contains different files taken from the main evidence file (EX01) that is used to store important evidence for forensics reasons. LX01 allows users to categorize the evidence without loading the whole EX01 file forensics to view the evidence. The L01 file is replaced by the LX01 file as it gives more advanced security features.
Structure of Forensic E01/EX01 File Format
In this section, we will discuss the structure of EX01 File Format. EX01 image file format contains Header Case Information, CRC, Data Blocks and MD5/SHA-1. Now, let's take the brief of each attribute:
Header: The header of the EX01 file holds the information of case such as Name of the person, Case Name, Media Description, Date/Time, operating system installed on the device.
CRC (Cyclic Redundancy Check): CRC is a hash function used for error detection in EX01 files and to check for any fluky changes in the original data. CRC code is created by the software for each data block at the beginning of accession and stored data.
Data Blocks: The EX01 files contain blocks. In these data blocks, the data is separated into the blocks and CRC checksums are inserted between every data block, to check error detection.
Footer: This section of the EX01 file holds the hash value of the message accessible in the file. The generated hash value can be compared with the value of the same file created by another tool. If both values match, then no changes have done in the original file.
Hash Function of EX01/E01 File Forensics
The header is in the first evidence file and there is no header section in all subsequent evidence files. The MD5/SHA-1 value is written after the last data block and metadata affix to the end.When the first evidence file is written, the file extension for the first file is EX01; then for second file EX02, and so on, until it reaches 100. The file extension for 100 is EXAA, for 101 EXAB, and continues until file number 126 i.e. EXAZ. Then, the file extension for file number 127 is EXBA. This chain continues until the last evidence file is created.After the last evidence file, the MD5/SHA-1 value is written in the last data block and metadata attached to the end.
Purpose of EX01 File Type in Digital Forensics
- EX01/E01 file forensics helps the examiner to investigate the evidence from data stored in a file.• Forensic E01 file provides security such as AES256, LZ compression, etc. of the data.• It keeps all the files without any data loss.• Provide integrity of data through hashing mechanisms such as MD5 and SHA1.• Encrypt the data with the help of public and private keys.• Stores large amounts of data in a single file.
Examine EX01 File Format Through MailXaminer
MailXaminer is the best software to search and analyze the data of the EX01 file forensics evidence file. Perform the basic steps to examine the data of EX01 file which are as follows:
Step 1: Add the EX01 File to search and analyze the evidence.Step 2: Preview forensic E01 file.After the scanning is finished, user can search the data in the file using systematic searches. Click on the "Search" button and their users will find several email search methods such as General Search, Proximity Search, Regular Search, Stem Search, Fuzzy Search, and Wildcard Search.
- General Search: It is a basic search mechanism that searches the entered term by scanning all the files and show where the exact term is used in files by highlighting that particular term in yellow color.
- Proximity Searches: A proximity search is a searching mechanism which helps in user to find two or more words which are separated within a specific distance.
- Regular Expression: Regular Expression is one more advanced search mechanism which helps to catch the evidence in forensic email data using several sequences of patterns.
- Stem Searches: Stem search is another mechanism that searches the words with the help of their root word.
- Fuzzy Search: Fuzzy search is another search option to find the evidence with the emails, it helps the user to do premise search to examine EX01 file forensics
- Wildcard Searches: Wildcard search is an advanced search mechanism to find evidence within the emails, it shows result in one or more characters by using two wildcards i.e., *(Asterisk) and? (Question Mark)
Step 3: Powerful Search Mechanism.MailXaminer provides the option for Logical Search Operator (AND, OR, NOT)Step 4: Advance analytics option in MailXaminer.Users can use advance analytics options for analysis. This option holds various methods such as Word Cloud, Timeline Analysis, Link Analysis, and Entity Analysis to find the evidence in the data.
Step 5: Export Option.MailXaminer allows users to export the potential evidential file into multiple file formats such as PDF, EML, MSG, HTML, etc. to investigate the forensic EX01 file.
The Final Verdict
To thoroughly examine EX01 file forensics, this blog has covered all about EX01 and LX01 evidence file, the structure of EX01 and the function of EX01. EX01 has four essential parts, which include, the header, CRC, Data Blocks and Footer. Also, we have discussed how to examine the EX01 file format through MailXaminer in an understandable way.
I am a Technical Content Writer having vast knowledge of technology. Have passion to share thoughts and solve user queries by writing post on it.