|Introduction | Sustainability Factors | Content Categories | Format Descriptions | Contact|
|Full name||Expert Witness Disk Image Format (EWF) Family|
EWF files are a type of disk image, i.e., files that contain the contents and structure of an entire data storage device, a disk volume, or (in some cases) a computer's physical memory (RAM). (See Notes for additional introductory information about disk images.) EWF files consist of one or more sections, each with its own header and section-level fixity data, usually in the form of an Adler-32 checksum. According to an 2009 article by Cohen, Garfinkel, and Schatz, EWF files "compress the image into 32 kb chunks which are stored back to back in groupings inside the file . . . [with] tables of relative indexes . . . to improve random access efficiency." Since the data to be imaged, e.g., from a large hard drive, may be extensive, EWF may use one of the following approaches that make the image data easier to manage. First, compression may be applied, typically using the deflate algorithm specified in RFC 1951 and also used in ZIP and PDF files. Second, data may be segmented across a sequence of EWF files that carry incrementing filename extensions. High-level fixity data may be provided in some versions of EWF via MD5 or SHA1 checksums on all of the data, even if carried in multiple segments.
EWF files may take one of two forms. The first is referred to as a bitstream or forensic image (one writer calls this the "normal image file"). This is a sector-by-sector copy of the source, thereby replicating the structure and contents of the storage device independent of the file system. Bitstream images include inactive data like the files and fragments that reside in unallocated space including deleted files that have not yet been overwritten.
The second form is called a logical evidence file and it preserves the original files as they existed on the media and also documents the assigned file name and extension; datetime created, modified, and last accessed; logical and physical size; MD5 hash value (fixity information); permissions; starting extent; and original path. Logical evidence files are typically created after an analysis locates some files of interest, and for forensic reasons, they are kept in an "evidence grade" container. Thus, in some situations, a user may have both a bitstream image and a logical evidence file.
|Production phase||Typically used for data analysis and not part of a process to create new content. May be used to archive data.|
|Relationship to other formats|
|Has subtype||EWF_SMART, Expert Witness Disk Image, ARS SMART|
|Has subtype||EWF_E01, Expert Witness Disk Image, EnCase E01 Bitstream|
|Has subtype||EWF_L01, Expert Witness Disk Image, EnCase L01 Logical|
|Has subtype||EWF_Ex01, Expert Witness Disk Image, EnCase Ex01 Bitstream|
|Has subtype||EWF_Lx01, Expert Witness Disk Image, EnCase Lx01 Logical|
|LC experience or existing holdings||Disk images are produced by the Tangible Media Preservation Project, which began in or about 2013.|
|LC preference||The Tangible Media Preservation Project produced disk images in the EWF_E01 and AFF_1_0 bitstream formats.|
|Disclosure||Disclosure for the EWF family is variable. A published description exists for EWF_SMART, while the EnCase formats (EWF_E01, EWF_L01, EWF_Ex01, and EWF_Lx01) have been described by Joachim Metz after he reverse engineered examples. One location for the EWF_SMART specification is Simson Garfinkel's invaluable Forensics Wiki.|
|Documentation||See the subtype descriptions.|
|Adoption||Widely adopted by law enforcement and legal investigators. Some adoption in archives, supported by the inclusion of EWF capabilities (especially for EWF_E01) in the popular BitCurator and FTK Imager tools.|
|Licensing and patents||Not investigated at this writing.|
|Transparency||Transparent wrapper; content within wrapper may require algorithms and tools to read, and/or require sophistication to build tools. Forensic expert Joachim Metz warns that there is variation in how EWF is implemented, even among the subtypes, resulting in a number of "edge cases." (Personal communication, 2014)|
|Self-documentation||EWF files have file- and section-level headers that document the facts of their creation and other information provided by their creators. Detailed descriptions of the imaged content are provided by the forensic tools that are applied in post-processes.|
|Technical protection considerations||Encryption may be applied. Concerning one widely used tool capable of making EWF_SMART and EWF_E01 files, Joachim Metz writes, "As of version 2.8, FTK Imager supports 'AD encryption.' Although the output file uses the EWF extensions the file actually is a AES-256 encrypted container. The EWF can be encrypted using a pass-phrase or a certificate." The EnCase Forensic Imager tool can also encrypt data in that company's formats (EWF_E01, EWF_L01, EWF_Ex01, and EWF_Lx01).|
|Filename extension||See related format.||See EWF_SMART, EWF_E01, EWF_L01, EWF_Ex01, and EWF_Lx01.|
|Magic numbers||See related format.||See EWF_SMART, EWF_E01, EWF_L01, EWF_Ex01, and EWF_Lx01.|
EWF files are a type of disk image, a format category generally used to capture and "freeze" the contents and structure of storage devices, e.g., hard drives, floppy disks, tape drives, optical discs, or USB flash drives. The target for an image may represent a portion of storage device, e.g., a disk volume or a logical drive (C:\ drive, file system, etc.). In some cases, investigators create images of a computer's physical memory (RAM).
Disk images like EWF are sometimes called "evidence grade" since they include embedded metadata about their creation, fixity data, and other elements that provide elements for a chain of evidence or an audit trail. These markers differentiate evidence grade image files from traditional computer-system backups, which may alter critical metadata like filesystem datestamps. The word forensic may be associated with any type of image file, reflecting their role in the service of law enforcement and legal investigations. After they have been created, image files are analyzed and described by sophisticated software applications in order to provide information for legal processes. However, the special features of evidence-grade images means that the adjective forensic is most often applied to this type.
Joachim Metz's descriptions (cited in Useful references below) differentiate members of the EWF family in various ways, including in terms of the quantities of sections established for each. It is hard not to see the ever-growing list of section names as a progression that reflects the developers' growing recognition of the range and extent of information they wished to categorize and manage. EWF_SMART, the first to be defined, has four sections; EWF_E01, part of the second wave, has the same four and nine more (total of 13); and EWF_L01, the other part of the second wave, adds two more (total of 15). The third wave, consisting of EWF_Ex01 and EWF_Lx01, offers 20 sections, many of which carry new names (and, to a degree, have been reconceived), a marker of EnCase's rethinking of their "version 2" formats. Lists of sections are provided in the EWF descriptions on this Web site.
|History||The dates on specifications and other documents suggest the following chronology: