Expert Witness Image Format Support

ILookIX provides an optional capability to analyze image files that are named “E01”. This commonly refers to image files made in the Expert Witness image format, but there is no public standard for files that call themselves .E01.  The ILookIX analysis of E01 files cannot be guaranteed in all cases, as the images themselves are generated by a number of different applications and hardware, none of which appear able to identify themselves to the forensic program analyzing them.  Perlustro has official format documentation for the Expert Witness format courtesy of ASRData Inc., but ONLY for that specification of E01.

If the tool’s identity cannot be determined, then likewise, any analysis could be suspect, simply due to the disparities in imaging tools already published in independent tests.  Who, what, or how this file type was made, are intrinsic to ILookIX’s analysis behavior and treatment.   For instance, no authentication report can be generated for this type because insufficient data exists to create one using our standards.

This truly murky water of parentage does not lie at the feet of Perlustro’s image formats, or any of its tools. Every image of any source created by any Perlustro imaging product is an evidentiary container which authenticates itself as well as the specific product that created it. There will be no analysis in ILookIX of any file, regardless of its name, if it simply purports to be a Perlustro product, but isn’t “Genuine Perlustro”.

All Perlustro image formats, ITAR, FUSUS and IX .asb formats, support that proof of concept. And of note, while ILookIX makes VMDK images by default, it cannot directly authenticate even those files except by the original source; and then, only through hashing the data, which is not necessarily sufficient alone for  authentication of evidence. However, ILookIX can, at any point, provide proof as to which one of our tools created our images – and much more.

The bounds we have created for this issue are as follows: should any court of State or National Jurisdiction call into question this issue, where ILookIX cannot report the source software/hardware used to create the image files that are under examination; then Perlustro cannot support that image if it was not created by Perlustro, and that includes raw bitstream images. The Perlustro tools were built by law enforcement, for law enforcement, for reasons of evidence preservation and protection for all parties. They were not built just for interoperability or convenience at any cost.

Given the stakes of criminal evidentiary analysis, as opposed to information analysis, we do not find any other recourse to take that is both equitable and compliant with our own standards, those of NIST, and common sense.

NOTE: See http://www.cftt.nist.gov/DA-ATP-pc-01.pdf, in particular tests DA-AM-09, DA-A0-03 , DA-A0-06,07 & 08, DA-A0-22

(Notably, Perlustro builds the only tools that transfer proprietary image formats of any loadable type directly to a GPL documented and Federally approved compressed image format (VMDK), which can then be opened by a plethora of both open and closed source tools for validation purposes or for perpetual retention.  This form frees the user from any reliance on, or requirement for, any Perlustro product in the further analysis or access to the data at a later date)