Forensic Image File Formats

HstEx® natively supports a number of different image and output file formats. The following table represents a summary of the supported file types.

File FormatFile Extensions
EnCase® Image File (EVF / Expert Witness Format)*.e01
EnCase® Evidence File Format v2*.ex01
EnCase® Logical Evidence File Format v1*.L01
EnCase® Logical Evidence File Format v2*.Lx01
SMART/Expert Witness Image File*.s01
X-Ways Forensics Image File*.e01
VMWare Virtual Disk File*.vmdk

Multi-Volume ZIP Archive NEW

Virtual Hard Disk*.vhd
Segmented Image Unix / Linux DD / Raw Image Files*.000, *.0000, *.00000, *.001, *.0001, *.00001
Single Image Unix / Linux DD / Raw / Monolithic Image Files*.dd; *.img; *.ima; *.raw
Memory Dumps*.dmp; *.dump; *.crash; *.mem; *.vmem; *.mdmp
Binary Dumps*.bin; *.dat; *.unallocated; *.rec; *.data; *.binary
Mobile Phone Raw Binary Memory Dumps*.bin


We have dropped support for the Advanced Forensics Format (AFF) in HstEx® v4.

Direct Sector Access to Physical and Logical Devices

HstEx® has the ability of directly accessing at the sector level any physical or logical devices attached to the host system. This allows the user to employ write blockers and to recover data directly from a disk or external media.


Do NOT mount supported image types and then process them as if they were physical or logical devices. This makes no sense whatsoever and will result in really slow processing. If the image type is supported, then using HstEx® to natively process the image is by far the fastest and most effective method. If you have an image format that is not supported, please contact support.

A write blocker should be used when accessing physical or logical devices directly. If the hard disk is failing, please use a data recovery imager to capture the data from the device first and run HstEx® against the resulting image.