Difference between pages "DC3 Digital Forensics Challenge" and "Encase image file format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
== DC3 Challenge ==
+
The Encase image file format is used by [[EnCase]] used to store various types of digital evidence e.g.
[[http://www.dc3.mil/challenge/ DC3 Digital Forensics Challenge]]
+
* disk image (physical bitstream of an acquired disk)
The annual DC3 Digital Forensics Challenge is a global, online competition comprised of individual, progressive-level, digital forensic exercises. The purpose of the challenge is to promote and generate interest in digital forensics; establish relationships within the digital forensics community; address the major obstacles and dilemmas confronting digital forensics investigators and examiners; and develop new tools, techniques, and methodologies. Throughout the 10 1/2 month contest starting on 15 Dec each year, teams can register and submit their solutions. Regardless of registration date, all final submissions are due the following 1 Nov.  The DC3 Digital Forensics Challenge is a global contest and has multiple winning categories:
+
* volume image
 +
* memory
 +
* logical files
  
- High School
 
  
- Community College
+
Currently there are 2 versions of the format:
 +
* version 1 is (reportedly) based on [[:File:ASR Data's Expert Witness Compression Format.pdf|ASR Data's Expert Witness Compression Format]].
 +
* version 2 was introduced in EnCase 7, for which a format specification (at least for Ex01) is available, but requires registration.
  
- Undergrad
+
The libewf project indicates that the January 2012 version of the version 2 format specification, besides Lx01 not being specified, is sufficient to read non-encrypted Ex01 files the format but not complete.
  
- Post Grad
+
== Version 1 ==
 +
The media data can be stored in multiple evidence files, which are called segment files.
 +
Each segment file consist of multiple sections, which has a distinct section start definition containing a section type.
 +
Up to EnCase 5 the segment file were limited to 2 GiB, due to the internal 31-bit file offset representation. This limitation was lifted by adding a base offset value in EnCase 6.
  
- Civilian
 
  
- Commercial
+
EnCase allows to store the data compressed either using a fast or best level of the deflate compression method.
 +
EnCase 7 no longer distinguishes between fast or best compression and just provides for either uncompressed or compressed.
  
- US Government
 
  
- US Military
+
Besides digital evidence the evidence files, or segment files, contain a header containing case information.
 +
The case information which entails date and time of acquisition, an examiner's name, notes on the acquisition, and an optional password.
 +
* In EnCase 3 the case information header is stored in the "header" section, which is defined twice within the file and contain the same information.
 +
* As of EnCase 4 an additional "header2" section was added. The "header" section now appears only once, but the new "header2" section twice.
  
  
Most categories are divided by US & International (non-US) and global overall winner.  Winners can receive hardware, software, internships, training, trips to our DOD Cyber Crime Conference (Jan 2013), gift cards, and more.  
+
The format adds error detection by storing the data with checksums (Adler32), for both the metadata as the data blocks, which are by default 64 x 512 byte sectors (32 KiB).
 +
As of EnCase 5 the number of sectors per block (chunk) can vary.
 +
EnCase 3F introduced an "error2" section that it uses to record the location and number of bad sector chunks. The way it handles the sections it can't read is that those areas are filled with zero.
 +
Then EnCase displays to the user the areas that could not be read when the image was acquired. The granularity of unreadable chunks appears to be 32K.
 +
As of EnCase 5 the granularity of unreadable chunks can vary.
  
  
'''DC3 Maryland Digital Forensics Challenge'''
+
EnCase 3 can store a one-way hash of the data. For a bitstream it does so by calculating e.g. a MD5 hash of the original media data and adds a hash section to the last of the segment file.
[[http://www.dc3.mil/challenge/2012/about/states/md.php/ DC3 Maryland Challenge]]
+
As of EnCase 6 the option to store a SHA1 hash was added.
  
From education and training to employment opportunities, Maryland has become the epicenter for cyber crime investigations and cybersecurity.  DC3 has created the DC3 Maryland Digital Forensics Challenge a subset of the overall DC3 Digital Forensics Challenge to encourage Marylanders to participate and to consider digital forensics as a possible career path.  Participants residing in Maryland will be eligible to receive a special recognition at the close of 2012 in addition to their general DC3 Digital Forensics Challenge prize eligibility.
 
  
The DC3 Maryland Digital Forensics Challenge is open to all individuals physically residing in Maryland at the time of submission.
+
EnCase 5 and later have the option to store '''single files''' into the EnCase Logical Evidence File (LEF) or EWF-L01.
 +
This format changed slightly in EnCase 6 and 7.
  
 
+
== Version 2 ==
  
== 2006 DC3 Digital Forensics Challenge ==
+
In EnCase 7 the EWF format was succeeded by the EnCase Evidence File Format Version 2 (EWF2-EX01 and EWF2-LX01).
 +
EWF2-EX01 is at it's lower levels a different format then EWF-E01 and provides support for:
 +
* bzip2 compression
 +
* direct encryption (AES-256) of the section data
  
The 2006 Challenge provided unique tests that included: Audio steganography, real vs. computer generated image analysis, Linux [[Logical Volume Manager (Linux)|LVM]] data carving, and recovering data from destroyed floppy disks and CDs. With 140 teams total, and 21 submissions entered, AccessData won the 2006 event.
+
The same features are added to the new logical evidence file format (EWF2-LX01) with the exception of encryption.
 +
EWF2-EX01, EWF2-LX01 are not backwards compatible with previous EnCase products.
  
== 2007 DC3 Digital Forensics Challenge ==
+
== See Also ==
  
The 2007 Challenge introduced new topics, such as: [[Bitlocker]] cracking and recovering data from destroyed USB thumb drives. With 126 teams competing, and 11 entries submitted, a team of students from the [[Air Force Institute of Technology]] won the event.
+
* [[:File:ASR Data's Expert Witness Compression Format.pdf|ASR Data's Expert Witness Compression Format]]
 +
* [[EnCase]]
  
== 2008 DC3 Digital Forensics Challenge ==
+
== External Links ==  
  
Beginning with the 2008 Challenge, the contest was broken into four skill levels: Novice, Skilled, Expert, and Genius. New challenges included: detection of malicious software, partition recovery, file header reconstruction, [[Skype]] analysis, and foreign text identification and translation. With 199 teams competing, and 20 entries submitted, the competition was won by Chris Eagle and Tim Vidas of the [[Naval Postgraduate School]].  The 2008 Challenge also marked the first time that all results were released publicly.
+
* [http://encase-enterprise-blog.guidancesoftware.com/2012/01/2nd-generation-encase-evidence-file.html 2nd Generation EnCase Evidence File Technical Specification now Available], Guidance Software, Jan 2012
 +
* Requires registration: [http://www.guidancesoftware.com/DocumentRegistration.aspx?did=1000018246 EnCase Evidence File Format Version 2], Guidance Software, Jan 2012
 +
* [http://code.google.com/p/libewf/downloads/detail?name=Expert%20Witness%20Compression%20Format%20%28EWF%29.pdf Expert Witness Compression Format (EWF)].
 +
* [http://code.google.com/p/libewf/downloads/detail?name=Expert%20Witness%20Compression%20Format%202%20%28EWF2%29.pdf Expert Witness Compression Format (EWF) version 2].
 +
* [http://www.cfreds.nist.gov/v2/Basic_Mac_Image.html Sample image in EnCase, iLook, and dd format] - From the [[Computer Forensic Reference Data Sets]] Project
  
== 2009 DC3 Digital Forensics Challenge ==
+
[[Category:Forensics File Formats]]
 
+
A total of 1,153 teams from 49 states and 61 countries applied to enter the 2009 DC3 Challenge. This is an increase from 223 teams from 40 states and 26 countries entered in 2008. Of that number of teams in 2009, 44 teams submitted solution packets back to FX for grading.
+
 
+
'''2009 Sponsors'''
+
 
+
'''SANS Institute for the U.S. High School and U.S. Undergraduate prizes'''
+
 
+
The SysAdmin, Audit, Network, Security (SANS) Institute is the most trusted and by far the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system - Internet Storm Center. SANS is also a sponsor in the Center for Strategic & International Studies US Cyber Challenge.
+
 
+
'''IMPACT for the Non-U.S. prize'''
+
 
+
The International Multilateral Partnership Against Cyber-Threats (IMPACT) and the Department of Defense Cyber Crime Center have partnered to provide a Digital Forensic Challenge opportunity for non-U.S. entries. This opportunity will provide an international aspect to a previously U.S.-based event and allow additional insight into global methods to fight cyber crime.
+
 
+
'''2009 Winners' Circle'''
+
 
+
With the four available prizes for 2009, the official winners of the Challenger were:
+
 
+
{| class="wikitable"
+
|-
+
! Prize !! Team !! Points
+
|-
+
| DC3 Prize (U.S. Winner) || Little Bobby Tables || 1,772
+
|-
+
| SANS Prize - High School (U.S.) || pwnage || 1,309
+
|-
+
| SANS Prize - Undergraduate (U.S.) || WilmU || 1,732
+
|-
+
| IMPACT Prize (International & Overall) || DFRC || 2,014
+
|}
+
 
+
== 2010 DC3 Digital Forensics Challenge ==
+
 
+
A total of 1010 teams from 48 states and 53 countries applied to enter the 2010 DC3 Challenge. This is a 12% decrease in team applications from 1,153 teams from 49 states and 61 countries entered in 2009. Of that number of teams in 2010, 70 teams submitted solution packets back to FX for grading.  This is a 59% increase in the number of submissions returned to the DC3 Challenge from 2009 with 44 submissions returned. 
+
 
+
'''2010 Sponsors'''
+
 
+
New in 2010, several new sponsors provided additional prizes to allow for multiple winners:
+
 
+
'''SANS Institute for the U.S. High School and U.S. Undergraduate prizes'''
+
 
+
The [[SANS Institute|SysAdmin, Audit, Network, Security (SANS) Institute]] is the most trusted and by far the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system - Internet Storm Center. SANS is also a sponsor in the Center for Strategic & International Studies US Cyber Challenge.
+
 
+
'''IMPACT for the Non-U.S. prize'''
+
 
+
The [[IMPACT|International Multilateral Partnership Against Cyber-Threats]] (IMPACT) and the Department of Defense Cyber Crime Center have partnered to provide a Digital Forensic Challenge opportunity for non-U.S. entries. This opportunity will provide an international aspect to a previously U.S.-based event and allow additional insight into global methods to fight cyber crime.
+
 
+
The winner(s) of the International category from an IMPACT-member country will be eligible to fly to Malaysia for a tour of the IMPACT facility in Cyberjaya, official presentation of a commemorative plaque and potential grants of EC-Council and SANS courses.
+
 
+
'''EC-Council for US Government, US Military, Commercial, and Civilian individual prizes'''
+
 
+
The [[International Council of Electronic Commerce Consultants]] (EC-Council) is a world leader in Information Security Certification and Training. With over 450 training locations for it’s information security courses in over 60 countries, it is a world leader in technical training and certification for the Information Security community. It is a trusted source for vendor neutral Information Security training solutions. EC-Council and DC3 have partnered to expand prize awards opportunities for our DC3 Digital Forensic Challenge. EC-Council will sponsor the categories of:
+
* U.S. Government
+
* U.S. Military
+
* Civilian for all U.S. and non-U.S. entries
+
* Commercial teams for all U.S. and non-U.S. entries
+
 
+
The winning teams of the Civilian, Commercial, Government, and Military categories will receive the following prizes for up to 4 members from the EC-Council:
+
* A  Plaque
+
* A pass to the Hacker Halted Conference to winners worth $1799 each
+
* Any free EC-Council electronic course ware of choice for the winners on Ethical Hacking, Computer Forensic, Security Analysis or Disaster Recovery worth $650 each
+
 
+
'''JHU for Community College Participants'''
+
 
+
The [[John Hopkins University|John Hopkins University (JHU) Carey School for Business]] as part of CyberWatch will be awarding a prize for the team with the highest score that is also enrolled in a community college.
+
 
+
The Johns Hopkins/CyberWatch (JHU/CW) winning team will be recognized as the academic leader at the U.S. Community College level. The winning team members will also be presented with an award to mark their outstanding achievement.
+
 
+
'''UK Cyber Security Challenge'''
+
 
+
[https://cybersecuritychallenge.org.uk/ Cyber Security Challenge UK] and DC3 have partnered together to provide an opportunity for teams consisting of all UK citizens residing in the UK.
+
The UK Challenge winning team will be offered two prizes from Cyber Security Challenge UK:
+
* Two weeks at the new UK Cyber Security Academy, which develops the skills required of next-generation cyber security specialists, including courses on digital forensics, threat and risk management, cyber-crime, and emerging security technologies.
+
* Invitations to take part in the Cyber Security Challenge UK’s masterclass challenge to compete against other successful contestants from other UK Challenge competitions.
+
 
+
'''2010 Winners' Circle'''
+
 
+
{| class="wikitable"
+
|-
+
! Prize !! Team !! Points
+
|-
+
| DC3 Prize (U.S. Winner) || Williams Twin Forensics || 1,470
+
|-
+
| SANS Prize - High School (U.S.) || Crash Override || 361
+
|-
+
| SANS Prize - Undergraduate (U.S.) || Team Name || 1,129
+
|-
+
| IMPACT Prize (International) || DFRC || 3,297
+
|-
+
| EC-COUNCIL Prize (US GOVT) || LBPDCCID || 409
+
|-
+
| EC-COUNCIL Prize (US Military) || Batcheej || 88
+
|-
+
| EC-COUNCIL Prize (Commercial) || Little Tree || 1,791
+
|-
+
| EC-COUNCIL Prize (Civilian) || William Twins Forensics || 1,470
+
|-
+
| JHU Prize (Community College) || PWNsauce || 84
+
|-
+
| UK Cyber Security Challenge || Mine Inc || 352
+
|}
+
 
+
== 2011 DC3 Digital Forensics Challenge ==
+
A total of 1147 teams from 50 states and 52 countries applied to enter the 2011 DC3 Challenge. This is a 3% increase in team applications from 1,110 teams from 48 states and 53 countries entered in 2010. Of that number of teams in 2011, 174 teams submitted solution packets back to FX for grading. This is a 149% increase in the number of submissions returned to the DC3 Challenge from 2010 with 70 submissions returned.
+
 
+
'''2011 Sponsors'''
+
 
+
Sponsor participation increased significantly with both the number of sponsors and the number of categories each sponsor supported.
+
 
+
'''''The SysAdmin, Audit, Network, Security (SANS) Institute: '''''
+
SANS sponsored the 1st place US High School, Undergraduate, and Graduate categories offering a trip to the 2012 DoD Cyber Crime Conference (conference fee not included) for up to 4 team members.
+
 
+
'''''IMPACT: '''''
+
IMPACT sponsored the 1st place Non-US Winner offering a trip to Malaysia for IMPACT training.
+
 
+
'''''JHU/CyberWatch: '''''
+
John Hopkins University (JHU) along with CyberWatch sponsored the 1st US Community College Winner offering scholarship money to up to 4 team members.
+
 
+
'''''The EC-Council: '''''
+
The International Council of Electronic Commerce Consultants (EC-Council) sponsored the 1st place Non US Civilian, Commercial, High School, Undergraduate, and Graduate categories, in addition to the US  Academic, Government, and Military categories.  They offer teams a plaque, a pass to the Hacker Halted Conference, and any free EC-Council electronic courseware on Ethical Hacking, Computer Forensics, Security Analysis, or Disaster Recovery of their choice.
+
 
+
'''''Cyber Security Challenge UK: '''''
+
The UK Challenge sponsored its own category offering the winning team of up to 4 members two weeks at the new UK Cyber Security Academy and an invitation to take part is the UK’s Masterclass Challenge. 
+
 
+
'''''Armed Forces Communications and Electronics Association (AFCEA) International '''''
+
AFCEA sponsored the 1st place US Government, Military, and Undergraduate categories offering a 1 year membership to their organization.
+
 
+
'''''BlackBag Technologies: '''''
+
BlackBag sponsored the US Overall winning team offering BBT Forensic Kit for up to 4 team members.
+
 
+
'''''National Institute of Standards and Technology Law Enforcement Standards Office (NIST OLES): '''''
+
NIST OLES sponsored the US Government Winner offering a trip to the 2012 DoD Cyber Crime Conference (conference fees excluded) for up to 4 team members. 
+
 
+
'''''Paraben : '''''
+
Paraben sponsored the 1st place US Undergraduate and 1st and 2nd Place US Government and Military categories offering the Paraben Device Seizure Software & Toolbox to all teams and a paid internship to the Undergraduate winner(s).
+
 
+
'''''The US Cyber Challenge (USCC): '''''
+
The USCC sponsored the 1st place US Undergraduate Winner offering a trip to the 2012 DoD Cyber Crime Conference (conference fees excluded) for up to 4 team members.
+
 
+
'''''AccessData:'''''
+
AccessData sponsored the 1st place US Undergraduate Winner offering a copy of Access Data FTK current version, two free training classes (online or in classroom), a optional 60 Day internship, and paid travel expenses and hotel room
+
 
+
'''''Dell:'''''
+
Dell sponsored the US Overall and US High School categories offering a Dell Streak 7 tablet for up to 4 team members.
+
 
+
'''''McAfee:'''''
+
McAfee sponsored the US Community College Winner offering Skullcandy headphones, the Hacking Exposed book, McAfee Total Protection software, and a lunch box/sack for up to 4 team members.
+
 
+
'''2011 Winners' Circle'''
+
 
+
{| class="wikitable"
+
|-
+
!CATEGORY (SPONSORS) !! TEAM NAME !! # OF PLAYERS !! AFFILIATION !! POINTS
+
|-
+
|Grand Champion (DC3) || LoneWolf || 1 || Sabanci University, Turkey || 4,789
+
|-
+
|Overall Civilian Winner (EC-Council) || DFRC || 4 || University of South Korea, Korea || 2,762
+
|-
+
|Overall Commercial Winner (EC-Council) || Northrop Grumman || 4 || Northrop Grumman, United States || 3,471
+
|-
+
|Overall High School (EC-Council) || AlphaPHS || 4 || Poolesville High School , United States || 854
+
|-
+
|Overall Undergraduate (EC-Council) || SIGSEGV || 4 || Arizona State University, United States|| 3,532
+
|-
+
|Overall Graduate  (EC-Council) || LoneWolf || 1 || Sabanci University, Turkey || 4,789
+
|-
+
|U.S. Overall Winner (DC3, BlackBag, Dell)  || SIGSEGV || 4 || Arizona State University, United States || 3,532
+
|- 
+
|U.S. Government Winner (EC-Council, AFCEA, NIST OLES, Paraben) || 0x90 || 4 || Department of Defense, United States || 3,269
+
|- 
+
|U.S. Military Winner (EC-Council, AFCEA, Paraben) || DCIS SEFO || 4 || Defense Criminal Investigative Service, United State || 1,105
+
|-
+
|U.S. High school Winner (SANS) || AlphaPHS || 4 || Poolesville High School , United States || 854
+
|- 
+
|U.S. Community College Winner (CyberWatch/JHU, CIS, McAfee) || CSI-207-001 || 4 || Anne Arundel Community College, United States || 924
+
|- 
+
|U.S. Undergraduate Winner (SANS, AFCEA, Paraben, Access Data) || SIGSEGV  || 4 || Arizona State University, United States || 3,532
+
|- 
+
|U.S. Graduate Winner (SANS) || DSU MSIA-2 || 1 || Dakota State University ||  1,549
+
|- 
+
|Non-U.S. Overall Winner (IMPACT) || LoneWolf || 1 || Sabanci University, Turkey || 4,789
+
|-
+
|U.K. Overall Winner (UK Challenge, McAfee) || Icarus || 1 || Lancaster University, United Kingdom || 2,098
+
|}
+
 
+
== External Links ==
+
* [http://dc3.mil/challenge/ External web site]
+
 
+
[[Category:DC3 Digital Forensics Challenge]]
+

Revision as of 01:53, 21 July 2012

The Encase image file format is used by EnCase used to store various types of digital evidence e.g.

  • disk image (physical bitstream of an acquired disk)
  • volume image
  • memory
  • logical files


Currently there are 2 versions of the format:

The libewf project indicates that the January 2012 version of the version 2 format specification, besides Lx01 not being specified, is sufficient to read non-encrypted Ex01 files the format but not complete.

Version 1

The media data can be stored in multiple evidence files, which are called segment files. Each segment file consist of multiple sections, which has a distinct section start definition containing a section type. Up to EnCase 5 the segment file were limited to 2 GiB, due to the internal 31-bit file offset representation. This limitation was lifted by adding a base offset value in EnCase 6.


EnCase allows to store the data compressed either using a fast or best level of the deflate compression method. EnCase 7 no longer distinguishes between fast or best compression and just provides for either uncompressed or compressed.


Besides digital evidence the evidence files, or segment files, contain a header containing case information. The case information which entails date and time of acquisition, an examiner's name, notes on the acquisition, and an optional password.

  • In EnCase 3 the case information header is stored in the "header" section, which is defined twice within the file and contain the same information.
  • As of EnCase 4 an additional "header2" section was added. The "header" section now appears only once, but the new "header2" section twice.


The format adds error detection by storing the data with checksums (Adler32), for both the metadata as the data blocks, which are by default 64 x 512 byte sectors (32 KiB). As of EnCase 5 the number of sectors per block (chunk) can vary. EnCase 3F introduced an "error2" section that it uses to record the location and number of bad sector chunks. The way it handles the sections it can't read is that those areas are filled with zero. Then EnCase displays to the user the areas that could not be read when the image was acquired. The granularity of unreadable chunks appears to be 32K. As of EnCase 5 the granularity of unreadable chunks can vary.


EnCase 3 can store a one-way hash of the data. For a bitstream it does so by calculating e.g. a MD5 hash of the original media data and adds a hash section to the last of the segment file. As of EnCase 6 the option to store a SHA1 hash was added.


EnCase 5 and later have the option to store single files into the EnCase Logical Evidence File (LEF) or EWF-L01. This format changed slightly in EnCase 6 and 7.

Version 2

In EnCase 7 the EWF format was succeeded by the EnCase Evidence File Format Version 2 (EWF2-EX01 and EWF2-LX01). EWF2-EX01 is at it's lower levels a different format then EWF-E01 and provides support for:

  • bzip2 compression
  • direct encryption (AES-256) of the section data

The same features are added to the new logical evidence file format (EWF2-LX01) with the exception of encryption. EWF2-EX01, EWF2-LX01 are not backwards compatible with previous EnCase products.

See Also

External Links