Eddy Colloton

Wow! The volume that created a 4gb disk image with ewfcompression=empty, created a disk image of only 1.1gb after running the scripts you recommend. I think your point is well taken that the uninitialized SSDs are not a good fit for this setting, but thank you so much for helping me problem solve. Best, Eddy On Thu, Dec 13, 2018 at 12:50 PM guy gvoncken@users.sourceforge.net wrote: Eddy, I think you already found the solution yourself: "not technically empty". I added the compression option "empty"...

I've done a few tests compairing the size of ewf disk images with compression=empty vs compression=fast. I've been surprised that the 2 flash drives I have imaged with compression=empty have ended up equal size to a raw disk image (despite often having lots of empty space). See results below: 32gb flash drive: EWFCompression=Fast: 23.2 GB, 00:49:43 EWFCompression=Empty: 32.1 GB, 00:49:40 4gb flash drive: EWFCompression=Fast: 2.2 GB, 00:03:40 EWFCompression=Empty: 4 GB, 00:03:40 I had assumed that...

Thanks again Guy! Yeah, makes sense lots of imagers out there. I've used xmount a little, I'm more familiar with ewfmount from libewf. Both seem to work well!

Thanks for all of this info Guy! I really appreciate your thorough and prompt reply! Another question: Do you think the subtle differences between the Guymager format and other EWF versions will be documented publically in the same way Metz has so thoroughly documented the subtle differences between EnCase1 and EnCase6, for example?

Guy, I'm a bit new to this, so forgive me if the answers to these questions is reproduced elsewhere. The other applications I have used to create EWF/E01 disk images have often prompted me for a "compression level." Does your application compress the E01s it creates? There also seems to be many verisons of this format (https://www.forensicswiki.org/wiki/Encase_image_file_format) which version does guymager create? Eddy