E01 (Was: Raspberry Pi floppy interface.

Chuck Guzis cclist at sydex.com
Mon Feb 4 17:32:24 CST 2019


On 2/4/19 2:49 PM, Fred Cisin via cctalk wrote:

> Well, conversion between E01 and IMD or teledisk formats looks
> straightforward.
> 
> http://www.forensicsware.com/blog/e01-file-format.html
> Is there a better description handy?
> 
> eg: What is the structure of the "Header Case Information" block?
> 
> The E01 would be adequate (barely), if accompanied by an additional
> "metadata" file that describes the physical format.  (In much more
> detail than just "IBM PC 360K", etc.)  For MOST situations, OS,
> encoding, bytes per sector, sectors per track, interleave, side pattern,
> size of index and inter-sector gaps, etc. might do.  That would still be
> far from PERFECT, because it would fail to catch several obvious ways to
> hide additional data on a disk;  eg. different physical interleaves that
> would still read the same on "normal" reading, or RSA encrypted data
> with the key stored in intersector gaps. Or, a small amount of data
> stored as locations of deliberate disk errors.  Think about ProLock.

Somewhere on the LOC website, there is a bit more detail--and source for
Linux tools under "ewf-tools" is also available.

The header information for E01 files is fairly rigid in structure.  But
a text description of, say, a Victor 9000 floppy is kind of hard to put
into 50 words or less.

There seems to be a notion that "an image used for forensic purposes" is
job-guarantee.  In fact, when the term "forensic" is used, it has to do
with crime detection and use as evidence in a legal proceeding.

That is, the point of forensic examination is to prove or disprove
something--completeness isn't necessary in all cases.  For example, if
examining DNA evidence is used to tie or eliminate a suspect, it isn't
necessary that the whole genome be sequenced; presence or absence of a
certain number of "markers' will do the job.

(I spent some years (1987-2000) providing products and training for law
enforcement forensics and am a life member of IACIS.)

So, when an archivist talks about forensic data image, I scratch my head
in bewilderment.  I try to put things in terms that they might
understand; to wit, "If you had temporary custody of an extremely rare
book, would you be content with just the text of the book, or would you
want photographic images of every page?"

But I'm sure that Fred is well acquainted with the "This is what they
told us was the Right Thing to Do, so that's what we want."  phenomenon.

--Chuck



More information about the cctech mailing list