Imaging to an E01 File with MD5 and SHA-1 Hashes

In recent years, E01 file format has become the de facto standard format for forensic purposes due to its ability to store not only a physical or logical copy of a source drive, but also case and evidence details. E01 file can also contain both MD5 and SHA-1 hashes. And it is considered a good practice among forensic specialists to calculate both hashes while imaging the evidence so that they are included in the E01 file.

To image a source evidence drive to an E01 file, you have to add a new target file.

Select a new E01 file

  1. In the sidebar, click Imaging.
  2. Click Create New Session.
  3. In the Target Device Selection dialog, click the Create Image File link.

  4. In the Image File Selection dialog, select E01 file extension in the drop-down menu to create an image file with this extension and enter the name you prefer in the File Name field.

  5. In the Image File Options dialog, fill out all the relevant fields. You can also do it later on the Home page of the file when it is created.

  6. In the Target Device Selection window, click the Select button.
  7. Insight creates an E01 file with current 0 bytes capacity. Its final capacity will be defined by the amount of imaged data it contains plus the metadata.

Calculate the hashes during imaging

  1. In the sidebar, click Imaging.
  2. Click Create New Session.
  3. In Preset line, click the Show settings link.
  4. On the Passes and Hash tab, select the Hash source during imaging option.
  5. In the Hash method list, select Linear.
  6. In the Hash type list, select MD5 and SHA-1.
  7. Click Start imaging.

  8. Upon completion of imaging, on the Imaging Results page, Insight features both MD5 and SHA-1 hashes.
    9. Calculated MD5 and SHA1 hashes

    Calculated MD5 and SHA1 hashes

Back to Manual start page