|
|
| (6 intermediate revisions by 5 users not shown) |
| Line 1: |
Line 1: |
| − | Many computer forensic programs, especially the all-in-one suites, use their own file formats to store information. This page lists many of those formats. Note that this page represents a subset of all of the [[File_Formats|known file formats]].
| + | #REDIRECT [[:Category:Forensics_File_Formats]] |
| − | | + | |
| − | | + | |
| − | | + | |
| − | ; [[AFF]]
| + | |
| − | Full details of the format and a working implementation can be downloaded from http://www.afflib.org/
| + | |
| − | | + | |
| − | | + | |
| − | ; [[EnCase]]
| + | |
| − | Perhaps the de facto standard for forensic analyses in law
| + | |
| − | enforcement, Guidance Software's EnCase Forensic uses
| + | |
| − | a proprietary format for images, reportedly based on ASR Data's
| + | |
| − | Expert Witness Compression Format. EnCase's Evidence File
| + | |
| − | (.E01) format contains a physical bitstream
| + | |
| − | of an acquired disk, prefixed with a "Case Info" header,
| + | |
| − | interlaced with CRCs for every block of 64 sectors (32 KB), and
| + | |
| − | followed by a footer containing an MD5 hash for the entire
| + | |
| − | bitstream. Contained in the header are the date and time of
| + | |
| − | acquisition, an examiner's name, notes on the acquisition, and an
| + | |
| − | optional password; the header concludes with its own CRC.
| + | |
| − | | + | |
| − | Not only is the format is compressible, it is also searchable.
| + | |
| − | Compression is block-based~\cite{pyflagformat}, and ``jump tables''
| + | |
| − | and "file pointers" are maintained in the format's header or
| + | |
| − | between blocks "to enhance speed." Disk images
| + | |
| − | can be split into multiple files (e.g., for archival to CD or
| + | |
| − | DVD).
| + | |
| − | | + | |
| − | But files in this format can be no larger than 2 GB. The format
| + | |
| − | also restricts the type and quantity of metadata that can be
| + | |
| − | associated with an image. And, though some vendors have
| + | |
| − | reverse-engineered the format for compatibility's sake, the format
| + | |
| − | remains closed.
| + | |
| − | | + | |
| − | | + | |
| − | ; FTK Imager ([[FTK]]'s) File Formats
| + | |
| − | | + | |
| − | A popular alternative to EnCase, AccessData's Forensic Toolkit (FTK)
| + | |
| − | supports storage of disk images in EnCase's or SMART's file format,
| + | |
| − | as well as in raw(dd)format. With Isobuster technology built in, FTK Imager Images CD's to a ISO/CUE file combination. This also includes multi and open session CDs.
| + | |
| − | | + | |
| − | ; [[gfzip]] (generic forensic zip) file format
| + | |
| − | | + | |
| − | Gfzip aims to provide an open file format for 'forensic complete' 'compressed' and 'signed' disk image data files.
| + | |
| − | Uncompressed disk images can be used the same way dd images are, as gfzip uses a data first footer last design.
| + | |
| − | Gfzip uses multi level sha256 digest based integrity guards instead of sha1 or the depricated md5 algoritm.
| + | |
| − | User supplied meta data is embedded in a meta data section within the file.
| + | |
| − | A very important feature that gfzip focuses on extensively is the use of signed data and meta data sections using x509 certificates.
| + | |
| − | | + | |
| − | | + | |
| − | ; [[ILook Investigator]]'s IDIF, IRBF, and IEIF Formats
| + | |
| − | | + | |
| − | ILook Investigator v8 and its disk-imaging
| + | |
| − | counterpart, IXimager, offer three proprietary, authenticated image
| + | |
| − | formats: compressed (IDIF), non-compressed (IRBF), and encrypted
| + | |
| − | (IEIF). Although few technical details are disclosed publicly,
| + | |
| − | IXimager's online documentation provides some
| + | |
| − | insights: IDIF "includes protective mechanisms to detect changes
| + | |
| − | from the source image entity to the output form" and supports
| + | |
| − | "logging of user actions within the confines of that event;" IRBF
| + | |
| − | is similar to IDIF except that disk images are left uncompressed;
| + | |
| − | IEIF, meanwhile, encrypts said images.
| + | |
| − | | + | |
| − | For compatibility with ILook Investigator v7 and other forensic
| + | |
| − | tools, IXimager allows for the transformation of each of these
| + | |
| − | formats into raw format.
| + | |
| − | | + | |
| − | | + | |
| − | ; [[ProDiscover]] Family's ProDiscover Image File Format
| + | |
| − | | + | |
| − | Used by [[Technology Pathways]]' [[ProDiscover]] Family of security tools, the ProDiscover Image File format consists of five parts: a 16-byte Image
| + | |
| − | File Header, which includes a signature and version number for an
| + | |
| − | image; a 681-byte Image Data Header, which contains user-provided
| + | |
| − | metadata about the image; Image Data, which comprises a single block
| + | |
| − | of uncompressed data or an array of blocks of compressed data; an
| + | |
| − | Array of Compressed Blocks sizes (if the Image Data is, in fact,
| + | |
| − | compressed); and I/O Log Errors describing any problems during the
| + | |
| − | image's acquisition.
| + | |
| − | | + | |
| − | Though fairly well documented, the format is not extensible.
| + | |
| − | | + | |
| − | | + | |
| − | ; [[PyFlag]]'s [[sgzip]] Format
| + | |
| − | | + | |
| − | Supported by PyFlag, a "Forensic and Log
| + | |
| − | Analysis GUI" begun as a project in the Australian Department of
| + | |
| − | Defence, sgzip is a seekable variant of the gzip format. By
| + | |
| − | compressing blocks (of 32KB, by default) individually, sgzip allows
| + | |
| − | disk images to be searched for keywords without being fully
| + | |
| − | decompressed. The format does not associate metadata with images. {In addition to its own sgzip format, PyFlag can also read and write the Expert Witness Compression Format.
| + | |
| − | | + | |
| − | | + | |
| − | ; [[Rapid Action Imaging Device]] (RAID)'s Format
| + | |
| − | | + | |
| − | Though relatively little technical detail is publicly available, DIBS USA's
| + | |
| − | Rapid Action Imaging Device (RAID) offers "built in
| + | |
| − | [sic] integrity checking" and is to be designed to
| + | |
| − | create an identical copy in raw format of one disk on another. The copy can then
| + | |
| − | "be inserted into a forensic workstation."
| + | |
| − | | + | |
| − | | + | |
| − | ; [[Safeback]]'s Format
| + | |
| − | | + | |
| − | SafeBack, a DOS-based utility designed to create
| + | |
| − | exact copies of entire disks or partitions, offers a
| + | |
| − | "self-authenticating" format for images, whereby [[SHA256]] hashes are
| + | |
| − | stored along with data to ensure the latter's integrity. Although
| + | |
| − | few technical details are disclosed publicly, SafeBack's authors
| + | |
| − | claim that the software "safeguards the internally stored SHA256
| + | |
| − | values."
| + | |
| − | | + | |
| − | | + | |
| − | ; [[SDi32]]'s Format
| + | |
| − | | + | |
| − | Imaging software designed to be used with write-blocking hardware,
| + | |
| − | Vogon International's SDi32 is capable of making identical copies
| + | |
| − | of disks to tape, disk, or file, with optional CRC32 and MD5
| + | |
| − | fingerprints. The copies are stored in raw format.
| + | |
| − | | + | |
| − | | + | |
| − | ; [[SMART]]'s Formats
| + | |
| − | | + | |
| − | [[SMART]], a software utility for Linux designed by the
| + | |
| − | original authors of Expert Witness (now sold under the name of
| + | |
| − | EnCase), can store disk images as pure bitstreams
| + | |
| − | (compressed or uncompressed) and also in ASR Data's [[Expert Witness]]
| + | |
| − | Compression Format. Images stored in the latter format
| + | |
| − | can be stored as a single file or in multiple segment files, each of
| + | |
| − | which consist of a standard 13-byte header followed by a series of
| + | |
| − | sections, each of type "header," "volume," "table," "next,"
| + | |
| − | or "done." Each section includes its type string, a 64-bit offset
| + | |
| − | to the next section, its 64-bit size, padding, and a CRC, in
| + | |
| − | addition to actual data or comments, if applicable. Although the
| + | |
| − | format's "header" section supports free-form notes, an image can
| + | |
| − | have only one such section (in its first segment file only).
| + | |
