Difference between pages "Encase image file format" and "JTAG Forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(Procedures)
 
Line 1: Line 1:
[[EnCase]] uses a closed format for images which is reportedly based on [http://www.asrdata.com/SMART/whitepaper.html ASR Data's Expert Witness Compression Format]. The evidence files, or E01 files, contain a physical bitstream of an acquired disk, prefixed with a '"Case Info" header, interlaced with CRCs for every block of 64 x 512 byte sectors (32 KiB), and followed by a footer containing an MD5 hash for the entire bitstream.  Contained in the header are the date and time of acquisition, an examiner's name, notes on the acquisition, and an optional password; the header concludes with its own CRC.
+
== Definition ==
 +
=== From Wikipedia ([http://en.wikipedia.org/wiki/Joint_Test_Action_Group http://en.wikipedia.org/wiki/Joint_Test_Action_Group ]): ===
  
EnCase can store media data into multiple evidence files, which are called segment files. Each segment file consist of multiple sections. Each section consist of a section start definition. This contains a section type.
+
Joint Test Action Group (JTAG) is the common name for what was later standardized as the IEEE 1149.1 Standard Test Access Port and Boundary-Scan Architecture. It was initially devised for testing printed circuit boards using boundary scan and is still widely used for this application. Today JTAG is also widely used for IC debug ports. In the embedded processor market, essentially all modern processors support JTAG when they have enough pins. Embedded systems development relies on debuggers talking to chips with JTAG to perform operations like single stepping and breakpointing. Digital electronics products such as cell phones or a wireless access point generally have no other debug or test interfaces.
  
Up to EnCase 5 the segment file were limited to 2 GiB, due to the internal 31-bit file offset representation. This limitation was lifted using a base offset work around in EnCase 6.
+
=== Forensic Application ===
  
At least from Encase 3 the case info header is contained in the "header" section, which is defined twice within the file and contain the same information.
+
JTAG forensics is an acquisition procedure which involves connecting to the Standard Test Access Port (TAPs) on a device and instructing the processor to transfer the raw data stored on connected memory chips. Jtagging supported phones can be an extremely effective technique to extract a full physical image from devices that cannot be acquired by other means.
  
With Encase 4 an additional "header2" section was added. The "header" section now appears only once, but the new "header2" section twice.
+
== Tools and Equipment ==
  
Version 3 of The Encase F introduced an "error2" sections that it uses to record the location and number of bad sector chunks. The way it handles the sections it can't read is that those areas are filled with zero. Then Encase displays to the user the areas that could not be read when the image was acquired. The granularity of unreadable chunks appears to be 32K.
+
* [[JTAG and Chip-Off Tools and Equipment]]
  
Within Encase 5 the number of sectors per block (chunk) can vary.
+
== Procedures ==
  
Encase from at least in version 3 can hash the data of the media it acquires.
+
* [[JTAG HTC Wildfire S]]
It does this by calculating a MD5 hash of the original media data and adds a hash section
+
* [[JTAG LG P930 (Nitro HD)]]
to the last of the segment files. Later versions of Encase 6 also include a SHA1 hash.
+
* [[JTAG Samsung Galaxy S4 (SGH-I337)]]
 
+
* [[JTAG Huawei TracFone M865C]]
== See Also ==
+
 
+
[[EnCase]]
+
 
+
== External Links ==
+
 
+
* [https://downloads.sourceforge.net/project/libewf/documentation/EWF%20file%20format/Expert%20Witness%20Compression%20Format%20%28EWF%29.pdf Expert Witness Compression Format (EWF)].
+
* [http://www.cfreds.nist.gov/v2/Basic_Mac_Image.html Sample image in EnCase, iLook, and dd format] - From the [[Computer Forensic Reference Data Sets]] Project
+
 
+
[[Category:Forensics File Format]]
+

Revision as of 19:18, 11 September 2013

Definition

From Wikipedia (http://en.wikipedia.org/wiki/Joint_Test_Action_Group ):

Joint Test Action Group (JTAG) is the common name for what was later standardized as the IEEE 1149.1 Standard Test Access Port and Boundary-Scan Architecture. It was initially devised for testing printed circuit boards using boundary scan and is still widely used for this application. Today JTAG is also widely used for IC debug ports. In the embedded processor market, essentially all modern processors support JTAG when they have enough pins. Embedded systems development relies on debuggers talking to chips with JTAG to perform operations like single stepping and breakpointing. Digital electronics products such as cell phones or a wireless access point generally have no other debug or test interfaces.

Forensic Application

JTAG forensics is an acquisition procedure which involves connecting to the Standard Test Access Port (TAPs) on a device and instructing the processor to transfer the raw data stored on connected memory chips. Jtagging supported phones can be an extremely effective technique to extract a full physical image from devices that cannot be acquired by other means.

Tools and Equipment

Procedures