Difference between revisions of "Forensic file formats"

From Forensics Wiki
Jump to: navigation, search
 
Line 5: Line 5:
 
; [[iLook]]
 
; [[iLook]]
 
: We're told it has it's own format.
 
: We're told it has it's own format.
 
; [[ProDiscover]] format from Technology Pathways.
 
: This format is documented
 
  
 
; [[SMART]] from ASR Data.
 
; [[SMART]] from ASR Data.
Line 25: Line 22:
  
 
==Open Formats==
 
==Open Formats==
 +
; [[AFF]]
 +
:
 +
 
; Seekable GZIP
 
; Seekable GZIP
 
: This format is used by the [[PyFlag]] disk forensics system. Although it's compressed and supports seeking, it does not support the inclusion of metadata in the image file.
 
: This format is used by the [[PyFlag]] disk forensics system. Although it's compressed and supports seeking, it does not support the inclusion of metadata in the image file.
  
; [[AFF]]
+
; [[ProDiscover]] format from Technology Pathways.
:
+
: This format is documented

Revision as of 10:17, 31 October 2005

Proprietary Formats

The proprietary formats are usually created by the vendor of a particular tool. In most cases they are named after that tool. Where documentation exists, we link to it.


iLook
We're told it has it's own format.
SMART from ASR Data.
This format uses a raw image and a second file with proprietary metadata (at least it did a couple of years ago).
FTK Logical Image Format
According to FTK's documentation, "The image created will include only logical files; it will not include any file system metadata, deleted files, unallocated space, etc. It cannot be converted to a sector image (such as .E01) because it does not store sector information. Although logical images can be examined in FTK Imager 2.x or newer, they are not supported by the current version of FTK. Logical image support will be added to FTK in a future release."
Safeback images
Some people have used Safeback for forensic purposes, although these images always need to be restored before they can be used.


Ones we aren't so sure about

FTK by Access Data.
We think that they use their own format, but we have never used FTK to acquire. ?

Open Formats

AFF
Seekable GZIP
This format is used by the PyFlag disk forensics system. Although it's compressed and supports seeking, it does not support the inclusion of metadata in the image file.
ProDiscover format from Technology Pathways.
This format is documented