Difference between revisions of "Forensic file formats"
|Line 6:||Line 6:|
, , the
Revision as of 14:25, 22 November 2005
Many computer forensic programs, especially the all-in-one suites, use their own file formats to store information. This page lists many of those formats. Note that this page represents a subset of all of the known file formats.
The proprietary formats are usually created by the vendor of a particular tool. In most cases they are named after that tool. Where documentation exists, we link to it.
Perhaps the de facto standard for forensic analyses in law enforcement, Guidance Software's EnCase Forensic uses a proprietary format for images, reportedly based on ASR Data's Expert Witness Compression Format. EnCase's Evidence File (.E01) format contains a physical bitstream of an acquired disk, prefixed with a "Case Info" header, interlaced with CRCs for every block of 64 sectors (32 KB), and followed by a footer containing an MD5 hash for the entire bitstream. Contained in the header are the date and time of acquisition, an examiner's name, notes on the acquisition, and an optional password; the header concludes with its own CRC.
- We're told it has it's own format.
- SMART from ASR Data.
- This format uses a raw image and a second file with proprietary metadata (at least it did a couple of years ago).
- FTK Logical Image Format
- According to FTK's documentation, "The image created will include only logical files; it will not include any file system metadata, deleted files, unallocated space, etc. It cannot be converted to a sector image (such as .E01) because it does not store sector information. Although logical images can be examined in FTK Imager 2.x or newer, they are not supported by the current version of FTK. Logical image support will be added to FTK in a future release."
- Safeback images
- Some people have used Safeback for forensic purposes, although these images always need to be restored before they can be used.
Older formats, not really in use anymore
- DIBS Disk Image Backup System, by Computer Forensics
- Vogon Imager
- Vogon imager claims that it can handle EnCase. There is some evidence that it may have (or had) its own file format as well. http://www.vogon-forensic-hardware.com/
Ones we aren't so sure about
- FTK by Access Data.
- We think that they use their own format, but we have never used FTK to acquire. ?
- Full details of the format and a working implementation can be downloaded from http://www.afflib.org/
- Seekable GZIP
- This format is used by the PyFlag disk forensics system. Although it's compressed and supports seeking, it does not support the inclusion of metadata in the image file.
- ProDiscover format from Technology Pathways.
- This format is documented at http://www.techpathways.com/uploads/ProDiscoverImageFileFormatv4.pdf