Difference between pages "Encase image file format" and "Research Topics"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
m (Tool Development)
 
Line 1: Line 1:
[[EnCase]] uses a closed format for images which is reportedly based on [http://www.asrdata.com/SMART/whitepaper.html ASR Data's Expert Witness Compression Format]. The evidence files, or E01 files, contain a physical bitstream of an acquired disk, prefixed with a '"Case Info" header, interlaced with CRCs for every block of 64 sectors~(32 KB), and followed by a footer containing an MD5 hash for the entire bitstream.  Contained in the header are the date and time of acquisition, an examiner's name, notes on the acquisition, and an optional password; the header concludes with its own CRC.
+
Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is our list. Please feel free to add your own ideas. ''Potential Sponsor,'' when present, indicates the name of a researcher who would be interested in lending support in the form of supervision or other resources to a project.
  
EnCase can store media data into multiple evidence files, which are called segment files. Each segment file consist of multiple sections. Each section consist of a section start definition. This contains a section type.
+
=Tool Development=
 +
==AFF Enhancement==
 +
[[AFF]] is the Advanced Forensics Format, developed by Simson Garfinkel and Basis Technology. The following enhancements would be very useful to the format:
 +
* Signing with X.509 or GPG keys data segments and metadata.
 +
* Encryption of data segments with an AES-256 key specified by a password
 +
* Encryption of the AES-256 key with a public key (and decryption with a corresponding private key)
 +
* Evaluation of the AFF data page size. What is the optimal page size for compressed forensic work?
 +
* Replacement of the AFF "BADFLAG" approach for indicating bad data with a bitmap.
  
Up to EnCase 5 the segment file were limited to 2 GiB, due to the internal 31-bit file offset representation. This limitation was lifted using a base offset work around in EnCase 6.
+
''Sponsor for these projects: [[User:Simsong|Simson Garfinkel]]''
  
At least from Encase 3 the case info header is contained in the "header" section, which is defined twice within the file and contain the same information.
+
==Decoders and Validators==
 +
* A JPEG decompresser that supports restarts and checkpointing for use in high-speed carving. It would also be useful it the JPEG decompressor didn't actually decompress --- all it needs to do is to verify the huffman table.
  
With Encase 4 an additional "header2" section was added. The "header" section now appears only once, but the new "header2" section twice.
+
==Cell Phones==
 +
Open source tools for:
 +
* Imaging the contents of a cell phone memory
 +
* Reassembling information in a cell phone memory
 +
''Sponsor: [[User:Simsong|Simson Garfinkel]]''
  
Version 3 of The Encase F introduced an "error2" sections that it uses to record the location and number of bad sector chunks. The way it handles the sections it can't read is that those areas are filled with zero. Then Encase displays to the user the areas that could not be read when the image was acquired. The granularity of unreadable chunks appears to be 32K.
+
==Flash Memory==
 +
Flash memory devices such as USB keys implement a [http://www.st.com/stonline/products/literature/an/10122.htm wear leveling algorithm] in hardware so that frequently rewritten blocks are actually written to many different physical blocks. Are there any devices that let you access the raw flash cells underneath the wear leveling chip? Can you get statistics out of the device? Can you access pages that have been mapped out (and still have valid data) but haven't been mapped back yet? Can you use this as a technique for accessing deleted information?
  
Within Encase 5 the amount of sectors per block (chunk) can vary.
+
''Sponsor: [[User:Simsong|Simson Garfinkel]]''
  
Encase from at least in version 3, 4 and 5 can hash the data of the media it acquires.
+
=Corpora Development=
It does this by calculating a MD5 hash of the original media data and adds a hash section
+
==Real Corpora==
to the last of the segment files.
+
* Cell phone memory images
 
+
==Realistic Corpora==
== See Also ==
+
* Simulated disk imags
 
+
* Simulated network traffic
[[EnCase]]
+
 
+
== External Links ==  
+
 
+
* A great deal of information about the format has been documented by the [http://libewf.sourceforge.net libewf project], including some of the [http://downloads.sourceforge.net/libewf/ewf_file_format.pdf E01 file format specifications].
+
* [http://www.cfreds.nist.gov/v2/Basic_Mac_Image.html Sample image in EnCase, iLook, and dd format] - From the [[Computer Forensic Reference Data Sets]] Project
+
 
+
[[Category:Forensics File Format]]
+

Revision as of 23:37, 23 April 2007

Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is our list. Please feel free to add your own ideas. Potential Sponsor, when present, indicates the name of a researcher who would be interested in lending support in the form of supervision or other resources to a project.

Contents

Tool Development

AFF Enhancement

AFF is the Advanced Forensics Format, developed by Simson Garfinkel and Basis Technology. The following enhancements would be very useful to the format:

  • Signing with X.509 or GPG keys data segments and metadata.
  • Encryption of data segments with an AES-256 key specified by a password
  • Encryption of the AES-256 key with a public key (and decryption with a corresponding private key)
  • Evaluation of the AFF data page size. What is the optimal page size for compressed forensic work?
  • Replacement of the AFF "BADFLAG" approach for indicating bad data with a bitmap.

Sponsor for these projects: Simson Garfinkel

Decoders and Validators

  • A JPEG decompresser that supports restarts and checkpointing for use in high-speed carving. It would also be useful it the JPEG decompressor didn't actually decompress --- all it needs to do is to verify the huffman table.

Cell Phones

Open source tools for:

  • Imaging the contents of a cell phone memory
  • Reassembling information in a cell phone memory

Sponsor: Simson Garfinkel

Flash Memory

Flash memory devices such as USB keys implement a wear leveling algorithm in hardware so that frequently rewritten blocks are actually written to many different physical blocks. Are there any devices that let you access the raw flash cells underneath the wear leveling chip? Can you get statistics out of the device? Can you access pages that have been mapped out (and still have valid data) but haven't been mapped back yet? Can you use this as a technique for accessing deleted information?

Sponsor: Simson Garfinkel

Corpora Development

Real Corpora

  • Cell phone memory images

Realistic Corpora

  • Simulated disk imags
  • Simulated network traffic