Difference between pages "Personal Folder File (PAB, PST, OST)" and "Libewf"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
 
Line 1: Line 1:
[[Microsoft]] [[Outlook]] uses the '''Personal Folder File (PFF)''' to store e-mails, appointments, tasks, contacts, notes, etc.
+
{{Infobox_Software |
 +
  name = libewf |
 +
  maintainer = [[Joachim Metz]], [[David Loveall]] |
 +
  os = [[Linux]], [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], [[Windows]] |
 +
  genre = {{Disk imaging}} |
 +
  license = {{LGPL}} |
 +
  website = [http://code.google.com/p/libewf/ code.google.com/p/libewf/] |
 +
}}
  
Three different types of the PFF are known:
+
'''Libewf''' is a library to access the [[Encase image file format|Expert Witness Compression Format (EWF)]].
* The '''Personal Address Book (PAB)''', which contains the address book of contacts. These files have the extension '''.pab'''.
+
* The '''Personal Storage Table (PST)''', which contains items like e-mails, appointments, tasks, notes, etc. and is used as current and archived mailbox files. These files have the extension '''.pst'''. The PST format is also referred to as the '''Personal Folder File (PFF)''' format.
+
* The '''Offline Storage Table (OST)''', which contains items like e-mails, appointments, tasks, notes, etc. and is used as off line mailbox files in conjunction with [[Microsoft]] [[Exchange]]. These files have the extension '''.ost'''. The OST format is also referred to as the '''Offline Folder File (OFF)''' format.
+
  
The underlying file format of these files is the same of which the actual name is unknown but has been dubbed the '''Personal Folder File (PFF)''' format, because of its most common usage.
+
== Features ==
 +
Read or write supported EWF formats:
 +
* [[SMART]] .s01 (EWF-S01)
 +
* [[EnCase]] .E01 (EWF-E01) and .Ex01 (EWF2-Ex01)
  
== MIME types ==
+
Read-only supported EWF formats:
 +
* Logical Evidence File (LEF) .L01 (EWF-L01) and .Lx01 (EWF2-Lx01)
  
The actual mime type of the PFF format is unspecified however some sources claim the following [[MIME types]] apply to this [[file format]]:
+
Other features:
* application/vnd.ms-outlook (for PST files)
+
* empty-block compression
 +
* read/write access using delta (or shadow) files
 +
* write resume
  
== File signature ==
+
== Tools ==  
 +
The '''libewf''' package contains the following tools:
 +
* '''ewfacquire''', which writes storage media data from devices and files to EWF files.
 +
* '''ewfacquirestream''', which writes data from stdin to EWF files.
 +
* '''ewfdebug'''; experimental tool does nothing at the moment.
 +
* '''ewfexport''', which exports storage media data in EWF files to (split) RAW format or a specific version of EWF files.
 +
* '''ewfinfo''', which shows the metadata in EWF files.
 +
* '''ewfmount''', which FUSE mounts EWF files.
 +
* '''ewfverify''', which verifies the storage media data in EWF files.
  
PFF has the following file signature:
+
The '''libewf''' package also contains the following bindings:
 +
* '''ewf.net''', bindings for .Net
 +
* '''pyewf''', bindings for Python contributed by [[David Collett]] in 2008
  
hexadecimal: 21 42 44 4e
+
=== Contributions ===
 +
Tools that have been contributed to the project are provided as separate tools on the sourceforge libewf project site. These are:
 +
* '''mount_ewf.py''', which allows the storage media data in a EWF files to be mounted, contributed by [[David Loveall]] in 2007.
 +
* '''libewf-java''', Java (JNA) bindings were contributed by [[Bradley Schatz]] in 2009.
 +
* '''delphi imdisk proxy''', Borland Delphi imdisk proxy, as an alternative to mount_ewf.py for Windows, contributed by [[Brendan Berney]] in 2010.
 +
* '''jlibewf''', native Java EWF reader contributed by [[Bruce Allen]] in 2010.
  
ASCII: !BDN
+
A menu based interface for ewfacquirestream called pyEWF, contributed by [[Dennis Schreiber]], was originally also available on the uitwisselplatform project site. However this is currently no longer maintained and was not moved to the sourceforge project size. The uitwisselplatform no longer exists. The name pyewf was reused for the libewf Python bindings created by [[David Collett]] which is now included in the libewf package.
  
== File types ==
+
=== Examples ===  
  
There are a 32-bit and a 64-bit version of the PFF. These have the same file signature but can be identified by the version in the file header.
+
Imaging a device on a Unix-based system:
 +
<pre>
 +
ewfacquire /dev/sda
 +
</pre>
  
== Contents ==
+
Imaging a device on a Windows system:
 +
<pre>
 +
ewfacquire \\.\PhysicalDrive0
 +
</pre>
  
The PFF basically contains a hierarchy of items. The attributes of these items are defined by the [[Microsoft]] [[Outlook]] [[Message API (MAPI)]].
+
Converting a split RAW into an EWF image
 +
<pre>
 +
ewfacquire split.raw.???
 +
</pre>
  
== Encryption ==
+
or
  
The PFF format allows the file to be encrypted. Two types of encryptions are currently known these are referred to as compressible and high encryption.
+
<pre>
The compressible encryption is a basic substitution cypher and the high encryption is a little more complex substitution cypher.
+
cat split.raw.??? | ewfacquirestream
From a cryptographic point of view this is more a way of obfuscation than a means to protect confidentiality.
+
</pre>
  
== Also see ==
+
Converting an optical disc (split) RAW into an EWF image (libewf 20110109 or later)
* [[libpff]]
+
<pre>
* [[libpst]]
+
ewfacquire -T optical.cue optical.iso
 +
</pre>
  
== External Links ==
+
Converting an EWF into another EWF format or a (split) RAW image
 +
<pre>
 +
ewfexport image.E01
 +
</pre>
  
* [http://code.google.com/p/libpff/downloads/detail?name=Personal%20Folder%20File%20%28PFF%29%20format.pdf Personal Folder File format specifications], by the [[libpff|libpff project]]
+
Exporting files from a logical image (L01)
* [http://downloads.sourceforge.net/libpff/MAPI_definitions.pdf MAPI definitions], by the [[libpff|libpff project]]
+
<pre>
* [http://www.five-ten-sg.com/libpst/rn01re05.html outlook.pst — format of MS Outlook .pst file], by the [[libpst|libpst project]]
+
ewfexport image.L01
* [http://msdn.microsoft.com/en-us/library/ff385210(v=office.12).aspx MS-PST: Outlook Personal Folders (.pst) File Format], by [[Microsoft]]
+
</pre>
 +
 
 +
FUSE mounting an EWF image (libewf 20110828 or later)
 +
<pre>
 +
ewfmount image.E01 mount_point
 +
</pre>
 +
 
 +
FUSE mounting a logical image (L01) (libewf 20111016 or later)
 +
<pre>
 +
ewfmount -f files image.L01 mount_point
 +
</pre>
 +
 
 +
== History ==
 +
 
 +
Libewf was created by [[Joachim Metz]] in 2006, while working for [http://en.hoffmannbv.nl/ Hoffmann Investigations].
 +
 
 +
Libewf is a rewrite of earlier work on the EnCase 4 file format by [[Michael Cohen]] part of [[PyFlag]] and the [[:File:ASR Data's Expert Witness Compression Format.pdf|Expert Witness Compression Format]] Specification by [[Andrew Rosen]]. It has been updated to read and write EnCase version 1 to 7 .E01 files, EnCase 5 to 7 .L01 files, EnCase 7 .Ex01 and .Lx01 files and SMART .s01 files. Libewf has initiated an Extended EWF (EWF-X) specifications to bypass limitations on the format imposed by the EnCase .E01 format.
 +
 
 +
In 2007 [[David Loveall]] contributed mount_ewf.py to the libewf project. This application allows a [[fuse]] based mount of the storage media data in the EWF files to be mounted. Due to repeated issues with Python and the fuse Python-bindings on [[Mac OS X]] part of the functionality of these scripts has been rewritten into '''ewfmount'''.
 +
 
 +
== External Links ==
  
[[Category:File Formats]]
+
* [http://code.google.com/p/libewf/ Project site]
 +
* [http://libewf.sourceforge.net Old project site]

Revision as of 00:03, 30 July 2012

libewf
Maintainer: Joachim Metz, David Loveall
OS: Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Windows
Genre: Disk imaging
License: LGPL
Website: code.google.com/p/libewf/

Libewf is a library to access the Expert Witness Compression Format (EWF).

Contents

Features

Read or write supported EWF formats:

  • SMART .s01 (EWF-S01)
  • EnCase .E01 (EWF-E01) and .Ex01 (EWF2-Ex01)

Read-only supported EWF formats:

  • Logical Evidence File (LEF) .L01 (EWF-L01) and .Lx01 (EWF2-Lx01)

Other features:

  • empty-block compression
  • read/write access using delta (or shadow) files
  • write resume

Tools

The libewf package contains the following tools:

  • ewfacquire, which writes storage media data from devices and files to EWF files.
  • ewfacquirestream, which writes data from stdin to EWF files.
  • ewfdebug; experimental tool does nothing at the moment.
  • ewfexport, which exports storage media data in EWF files to (split) RAW format or a specific version of EWF files.
  • ewfinfo, which shows the metadata in EWF files.
  • ewfmount, which FUSE mounts EWF files.
  • ewfverify, which verifies the storage media data in EWF files.

The libewf package also contains the following bindings:

  • ewf.net, bindings for .Net
  • pyewf, bindings for Python contributed by David Collett in 2008

Contributions

Tools that have been contributed to the project are provided as separate tools on the sourceforge libewf project site. These are:

  • mount_ewf.py, which allows the storage media data in a EWF files to be mounted, contributed by David Loveall in 2007.
  • libewf-java, Java (JNA) bindings were contributed by Bradley Schatz in 2009.
  • delphi imdisk proxy, Borland Delphi imdisk proxy, as an alternative to mount_ewf.py for Windows, contributed by Brendan Berney in 2010.
  • jlibewf, native Java EWF reader contributed by Bruce Allen in 2010.

A menu based interface for ewfacquirestream called pyEWF, contributed by Dennis Schreiber, was originally also available on the uitwisselplatform project site. However this is currently no longer maintained and was not moved to the sourceforge project size. The uitwisselplatform no longer exists. The name pyewf was reused for the libewf Python bindings created by David Collett which is now included in the libewf package.

Examples

Imaging a device on a Unix-based system:

ewfacquire /dev/sda

Imaging a device on a Windows system:

ewfacquire \\.\PhysicalDrive0

Converting a split RAW into an EWF image

ewfacquire split.raw.???

or

cat split.raw.??? | ewfacquirestream

Converting an optical disc (split) RAW into an EWF image (libewf 20110109 or later)

ewfacquire -T optical.cue optical.iso

Converting an EWF into another EWF format or a (split) RAW image

ewfexport image.E01

Exporting files from a logical image (L01)

ewfexport image.L01

FUSE mounting an EWF image (libewf 20110828 or later)

ewfmount image.E01 mount_point

FUSE mounting a logical image (L01) (libewf 20111016 or later)

ewfmount -f files image.L01 mount_point

History

Libewf was created by Joachim Metz in 2006, while working for Hoffmann Investigations.

Libewf is a rewrite of earlier work on the EnCase 4 file format by Michael Cohen part of PyFlag and the Expert Witness Compression Format Specification by Andrew Rosen. It has been updated to read and write EnCase version 1 to 7 .E01 files, EnCase 5 to 7 .L01 files, EnCase 7 .Ex01 and .Lx01 files and SMART .s01 files. Libewf has initiated an Extended EWF (EWF-X) specifications to bypass limitations on the format imposed by the EnCase .E01 format.

In 2007 David Loveall contributed mount_ewf.py to the libewf project. This application allows a fuse based mount of the storage media data in the EWF files to be mounted. Due to repeated issues with Python and the fuse Python-bindings on Mac OS X part of the functionality of these scripts has been rewritten into ewfmount.

External Links