|
|
(6 intermediate revisions by 5 users not shown) |
Line 1: |
Line 1: |
− | Many computer forensic programs, especially the all-in-one suites, use their own file formats to store information. This page lists many of those formats. Note that this page represents a subset of all of the [[File_Formats|known file formats]].
| + | #REDIRECT [[:Category:Forensics_File_Formats]] |
− | | + | |
− | | + | |
− | | + | |
− | ; [[AFF]]
| + | |
− | Full details of the format and a working implementation can be downloaded from http://www.afflib.org/
| + | |
− | | + | |
− | | + | |
− | ; [[EnCase]]
| + | |
− | Perhaps the de facto standard for forensic analyses in law
| + | |
− | enforcement, Guidance Software's EnCase Forensic uses
| + | |
− | a proprietary format for images, reportedly based on ASR Data's
| + | |
− | Expert Witness Compression Format. EnCase's Evidence File
| + | |
− | (.E01) format contains a physical bitstream
| + | |
− | of an acquired disk, prefixed with a "Case Info" header,
| + | |
− | interlaced with CRCs for every block of 64 sectors (32 KB), and
| + | |
− | followed by a footer containing an MD5 hash for the entire
| + | |
− | bitstream. Contained in the header are the date and time of
| + | |
− | acquisition, an examiner's name, notes on the acquisition, and an
| + | |
− | optional password; the header concludes with its own CRC.
| + | |
− | | + | |
− | Not only is the format is compressible, it is also searchable.
| + | |
− | Compression is block-based~\cite{pyflagformat}, and ``jump tables''
| + | |
− | and "file pointers" are maintained in the format's header or
| + | |
− | between blocks "to enhance speed." Disk images
| + | |
− | can be split into multiple files (e.g., for archival to CD or
| + | |
− | DVD).
| + | |
− | | + | |
− | But files in this format can be no larger than 2 GB. The format
| + | |
− | also restricts the type and quantity of metadata that can be
| + | |
− | associated with an image. And, though some vendors have
| + | |
− | reverse-engineered the format for compatibility's sake, the format
| + | |
− | remains closed.
| + | |
− | | + | |
− | | + | |
− | ; FTK Imager ([[FTK]]'s) File Formats
| + | |
− | | + | |
− | A popular alternative to EnCase, AccessData's Forensic Toolkit (FTK)
| + | |
− | supports storage of disk images in EnCase's or SMART's file format,
| + | |
− | as well as in raw(dd)format. With Isobuster technology built in, FTK Imager Images CD's to a ISO/CUE file combination. This also includes multi and open session CDs.
| + | |
− | | + | |
− | ; [[gfzip]] (generic forensic zip) file format
| + | |
− | | + | |
− | Gfzip aims to provide an open file format for 'forensic complete' 'compressed' and 'signed' disk image data files.
| + | |
− | Uncompressed disk images can be used the same way dd images are, as gfzip uses a data first footer last design.
| + | |
− | Gfzip uses multi level sha256 digest based integrity guards instead of sha1 or the depricated md5 algoritm.
| + | |
− | User supplied meta data is embedded in a meta data section within the file.
| + | |
− | A very important feature that gfzip focuses on extensively is the use of signed data and meta data sections using x509 certificates.
| + | |
− | | + | |
− | | + | |
− | ; [[ILook Investigator]]'s IDIF, IRBF, and IEIF Formats
| + | |
− | | + | |
− | ILook Investigator v8 and its disk-imaging
| + | |
− | counterpart, IXimager, offer three proprietary, authenticated image
| + | |
− | formats: compressed (IDIF), non-compressed (IRBF), and encrypted
| + | |
− | (IEIF). Although few technical details are disclosed publicly,
| + | |
− | IXimager's online documentation provides some
| + | |
− | insights: IDIF "includes protective mechanisms to detect changes
| + | |
− | from the source image entity to the output form" and supports
| + | |
− | "logging of user actions within the confines of that event;" IRBF
| + | |
− | is similar to IDIF except that disk images are left uncompressed;
| + | |
− | IEIF, meanwhile, encrypts said images.
| + | |
− | | + | |
− | For compatibility with ILook Investigator v7 and other forensic
| + | |
− | tools, IXimager allows for the transformation of each of these
| + | |
− | formats into raw format.
| + | |
− | | + | |
− | | + | |
− | ; [[ProDiscover]] Family's ProDiscover Image File Format
| + | |
− | | + | |
− | Used by [[Technology Pathways]]' [[ProDiscover]] Family of security tools, the ProDiscover Image File format consists of five parts: a 16-byte Image
| + | |
− | File Header, which includes a signature and version number for an
| + | |
− | image; a 681-byte Image Data Header, which contains user-provided
| + | |
− | metadata about the image; Image Data, which comprises a single block
| + | |
− | of uncompressed data or an array of blocks of compressed data; an
| + | |
− | Array of Compressed Blocks sizes (if the Image Data is, in fact,
| + | |
− | compressed); and I/O Log Errors describing any problems during the
| + | |
− | image's acquisition.
| + | |
− | | + | |
− | Though fairly well documented, the format is not extensible.
| + | |
− | | + | |
− | | + | |
− | ; [[PyFlag]]'s [[sgzip]] Format
| + | |
− | | + | |
− | Supported by PyFlag, a "Forensic and Log
| + | |
− | Analysis GUI" begun as a project in the Australian Department of
| + | |
− | Defence, sgzip is a seekable variant of the gzip format. By
| + | |
− | compressing blocks (of 32KB, by default) individually, sgzip allows
| + | |
− | disk images to be searched for keywords without being fully
| + | |
− | decompressed. The format does not associate metadata with images. {In addition to its own sgzip format, PyFlag can also read and write the Expert Witness Compression Format.
| + | |
− | | + | |
− | | + | |
− | ; [[Rapid Action Imaging Device]] (RAID)'s Format
| + | |
− | | + | |
− | Though relatively little technical detail is publicly available, DIBS USA's
| + | |
− | Rapid Action Imaging Device (RAID) offers "built in
| + | |
− | [sic] integrity checking" and is to be designed to
| + | |
− | create an identical copy in raw format of one disk on another. The copy can then
| + | |
− | "be inserted into a forensic workstation."
| + | |
− | | + | |
− | | + | |
− | ; [[Safeback]]'s Format
| + | |
− | | + | |
− | SafeBack, a DOS-based utility designed to create
| + | |
− | exact copies of entire disks or partitions, offers a
| + | |
− | "self-authenticating" format for images, whereby [[SHA256]] hashes are
| + | |
− | stored along with data to ensure the latter's integrity. Although
| + | |
− | few technical details are disclosed publicly, SafeBack's authors
| + | |
− | claim that the software "safeguards the internally stored SHA256
| + | |
− | values."
| + | |
− | | + | |
− | | + | |
− | ; [[SDi32]]'s Format
| + | |
− | | + | |
− | Imaging software designed to be used with write-blocking hardware,
| + | |
− | Vogon International's SDi32 is capable of making identical copies
| + | |
− | of disks to tape, disk, or file, with optional CRC32 and MD5
| + | |
− | fingerprints. The copies are stored in raw format.
| + | |
− | | + | |
− | | + | |
− | ; [[SMART]]'s Formats
| + | |
− | | + | |
− | [[SMART]], a software utility for Linux designed by the
| + | |
− | original authors of Expert Witness (now sold under the name of
| + | |
− | EnCase), can store disk images as pure bitstreams
| + | |
− | (compressed or uncompressed) and also in ASR Data's [[Expert Witness]]
| + | |
− | Compression Format. Images stored in the latter format
| + | |
− | can be stored as a single file or in multiple segment files, each of
| + | |
− | which consist of a standard 13-byte header followed by a series of
| + | |
− | sections, each of type "header," "volume," "table," "next,"
| + | |
− | or "done." Each section includes its type string, a 64-bit offset
| + | |
− | to the next section, its 64-bit size, padding, and a CRC, in
| + | |
− | addition to actual data or comments, if applicable. Although the
| + | |
− | format's "header" section supports free-form notes, an image can
| + | |
− | have only one such section (in its first segment file only).
| + | |