Difference between pages "PowerPoint Presentation (PPT)" and "Libewf"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (File signature)
 
m (Ewftools moved to Libewf)
 
Line 1: Line 1:
The '''PowerPoint Presentation (PPT) file format''' has the '''.ppt''' extension. This file type originates from [[Microsoft PowerPoint]]. However, other presentation software can be used to display these files as well. These include:
+
{{Infobox_Software |
* [[WordPerfect]]
+
  name = ewftools |
* [[OpenOffice]]
+
  maintainer = [[Joachim Metz]], [[David Loveall]] |
 +
  os = {{Linux | BSD | MacOS-X | Windows}} |
 +
  genre = [[File type support]] |
 +
  license = {{LGPL}} |
 +
  website = [http://libewf.sourceforge.net libewf.sourceforge.net] |
 +
}}
  
== MIME types ==
+
The '''ewftools''' are a [[Linux]] based programs to read and write EnCase E01 and SMART s01 bitstream copies of storage media. It has been ported to other platforms like *BSD, MacOS-X and Windows as well.
  
== File signature ==
+
== History ==  
  
[[Microsoft PowerPoint]] presentation of version 97-2003 use the [[OLE Compound File]] (OLECF). These files therefore have the OLECF file signature
+
The ewftools were developed by [[Joachim Metz]] while working for [[Hoffmann Investigations]].  
  
The object stream of the OLECF containing a PowerPoint presentation contains the string "PowerPoint Document" with some version.
+
The ewftools are part of libewf package which was created in 2006.
 +
Libewf is a rewrite of earlier work on the EnCase 4 file format by [[Michael Cohen]] part of [[PyFlag]] and the [http://www.asrdata.com/SMART/whitepaper.html Expert Witness Compression Format Specification] by [Andrew Rosen]. It has been updated to read and write EnCase 1 to 6 E01 files and SMART s01 files. Libewf has initiated an Extended EWF (EWF-X) specifications to bypass limitations on the format imposed by EnCase.
  
== PowerPoint 97-2003 presentation ==
+
Currently libewf partially supports the EnCase L01 format but this functionality has been disabled.
  
The PowerPoint 97-2007 Binary File format is stored in the OLECF using multiple streams:
+
== Tools ==
* ... stream
+
The ewftools consists of:
 +
* '''ewfacquire''' and '''ewfacquire''' , which writes storage media data from a device handle to a set of E01 or s01 files.
 +
* '''ewfexport''', which exports storage media data in a set of E01 or s01 files to raw (dd) format or a specific version of E01 or s01 files.
 +
* '''ewfinfo''', which shows the metadata in a set of E01 or s01 files.
 +
* '''ewfverify''', which verifies the storage media data in a set of E01 or s01 files.
 +
* '''mount_ewf.py''', which allows the storage media data in a set of E01 or s01 files to be mounted.
  
== Encryption ==
+
== External Links ==
  
See [[Word Document (DOC)]].
+
* [http://libewf.sourceforge.net libewf project site]
Note: perhaps this section should be moved to a separate section about Microsoft Office encryption
+
 
+
== See Also==
+
 
+
[http://download.microsoft.com/download/0/B/E/0BE8BDD7-E5E8-422A-ABFD-4342ED7AD886/PowerPoint97-2007BinaryFileFormat(ppt)Specification.pdf PowerPoint 97-2007 Binary File format by Microsoft]
+
 
+
[[Category:File Formats]]
+

Revision as of 05:57, 31 January 2009

ewftools
Maintainer: Joachim Metz, David Loveall
OS: Linux
Genre: File type support
License: LGPL
Website: libewf.sourceforge.net

The ewftools are a Linux based programs to read and write EnCase E01 and SMART s01 bitstream copies of storage media. It has been ported to other platforms like *BSD, MacOS-X and Windows as well.

History

The ewftools were developed by Joachim Metz while working for Hoffmann Investigations.

The ewftools are part of libewf package which was created in 2006. Libewf is a rewrite of earlier work on the EnCase 4 file format by Michael Cohen part of PyFlag and the Expert Witness Compression Format Specification by [Andrew Rosen]. It has been updated to read and write EnCase 1 to 6 E01 files and SMART s01 files. Libewf has initiated an Extended EWF (EWF-X) specifications to bypass limitations on the format imposed by EnCase.

Currently libewf partially supports the EnCase L01 format but this functionality has been disabled.

Tools

The ewftools consists of:

  • ewfacquire and ewfacquire , which writes storage media data from a device handle to a set of E01 or s01 files.
  • ewfexport, which exports storage media data in a set of E01 or s01 files to raw (dd) format or a specific version of E01 or s01 files.
  • ewfinfo, which shows the metadata in a set of E01 or s01 files.
  • ewfverify, which verifies the storage media data in a set of E01 or s01 files.
  • mount_ewf.py, which allows the storage media data in a set of E01 or s01 files to be mounted.

External Links