In recent years, E01 file format has become the de facto standard format for forensic purposes due to its ability to store not only a physical or logical copy of a source drive, but also case and evidence details. E01 file can also contain both MD5 and SHA-1 hashes. And it is considered a good practice among forensic specialists to calculate both hashes while imaging the evidence so that they are included in the E01 file.
To image a source evidence drive to an E01 file you have to add a new target file.
1. In Imaging category of the left-side menu you can click on Create New Session link and in the Target Device Selection window click on Create Image File link.
2. In the Image File Selection window select E01 file extension in the drop-down menu to create an image file with this extension and type the name you prefer in the File Name field.
3. Fill out all the relevant fields in the Image File Options window (you can also do it later in the Home page of the file when it is created):
4. Click on Select button in the Target Device Selection window .
As a result you get is an E01 file with current 0 bytes capacity created (its final capacity will be defined by the amount of imaged data it contains plus the metadata).
Upon completion of imaging, you will see both MD5 and SHA-1 hashes indicated in Imaging Results page: