Sustainability of Digital Formats: Planning for Library of Congress Collections

Introduction | Sustainability Factors | Content Categories | Format Descriptions | Contact
Format Description Categories >> Browse Alphabetical List

Expert Witness Disk Image Format (EWF) Family

>> Back
Table of Contents
Format Description Properties Explanation of format description terms

Identification and description Explanation of format description terms

Full name Expert Witness Disk Image Format (EWF) Family
Description

EWF files are a type of disk image, i.e., files that contain the contents and structure of an entire data storage device, a disk volume, or (in some cases) a computer's physical memory (RAM). (See Notes for additional introductory information about disk images.) EWF files consist of one or more sections, each with its own header and section-level fixity data, usually in the form of an Adler-32 checksum. According to an 2009 article by Cohen, Garfinkel, and Schatz, EWF files "compress the image into 32 kb chunks which are stored back to back in groupings inside the file . . . [with] tables of relative indexes . . . to improve random access efficiency." Since the data to be imaged, e.g., from a large hard drive, may be extensive, EWF may use one of the following approaches that make the image data easier to manage. First, compression may be applied, typically using the deflate algorithm specified in RFC 1951 and also used in ZIP and PDF files. Second, data may be segmented across a sequence of EWF files that carry incrementing filename extensions. High-level fixity data may be provided in some versions of EWF via MD5 or SHA1 checksums on all of the data, even if carried in multiple segments.

EWF files may take one of two forms. The first is referred to as a bitstream or forensic image (one writer calls this the "normal image file"). This is a sector-by-sector copy of the source, thereby replicating the structure and contents of the storage device independent of the file system. Bitstream images include inactive data like the files and fragments that reside in unallocated space including deleted files that have not yet been overwritten.

The second form is called a logical evidence file and it preserves the original files as they existed on the media and also documents the assigned file name and extension; datetime created, modified, and last accessed; logical and physical size; MD5 hash value (fixity information); permissions; starting extent; and original path. Logical evidence files are typically created after an analysis locates some files of interest, and for forensic reasons, they are kept in an "evidence grade" container. Thus, in some situations, a user may have both a bitstream image and a logical evidence file.

Production phase Typically used for data analysis and not part of a process to create new content. May be used to archive data.
Relationship to other formats
    Has subtype EWF_SMART, Expert Witness Disk Image, ARS SMART
    Has subtype EWF_E01, Expert Witness Disk Image, EnCase E01 Bitstream
    Has subtype EWF_L01, Expert Witness Disk Image, EnCase L01 Logical
    Has subtype EWF_Ex01, Expert Witness Disk Image, EnCase Ex01 Bitstream
    Has subtype EWF_Lx01, Expert Witness Disk Image, EnCase Lx01 Logical

Local use Explanation of format description terms

LC experience or existing holdings Disk images are produced by the Tangible Media Preservation Project, which began in or about 2013.
LC preference The Tangible Media Preservation Project produced disk images in the EWF_E01 and AFF_1_0 bitstream formats.

Sustainability factors Explanation of format description terms

Disclosure Disclosure for the EWF family is variable. A published description exists for EWF_SMART, while the EnCase formats (EWF_E01, EWF_L01, EWF_Ex01, and EWF_Lx01) have been described by Joachim Metz after he reverse engineered examples. One location for the EWF_SMART specification is Simson Garfinkel's invaluable Forensics Wiki.
    Documentation See the subtype descriptions.
Adoption Widely adopted by law enforcement and legal investigators. Some adoption in archives, supported by the inclusion of EWF capabilities (especially for EWF_E01) in the popular BitCurator and FTK Imager tools.
    Licensing and patents Not investigated at this writing.
Transparency Transparent wrapper; content within wrapper may require algorithms and tools to read, and/or require sophistication to build tools. Forensic expert Joachim Metz warns that there is variation in how EWF is implemented, even among the subtypes, resulting in a number of "edge cases." (Personal communication, 2014)
Self-documentation EWF files have file- and section-level headers that document the facts of their creation and other information provided by their creators. Detailed descriptions of the imaged content are provided by the forensic tools that are applied in post-processes.
External dependencies None
Technical protection considerations Encryption may be applied. Concerning one widely used tool capable of making EWF_SMART and EWF_E01 files, Joachim Metz writes, "As of version 2.8, FTK Imager supports 'AD encryption.' Although the output file uses the EWF extensions the file actually is a AES-256 encrypted container. The EWF can be encrypted using a pass-phrase or a certificate." The EnCase Forensic Imager tool can also encrypt data in that company's formats (EWF_E01, EWF_L01, EWF_Ex01, and EWF_Lx01).

Quality and functionality factors Explanation of format description terms


File type signifiers and format identifiers Explanation of format description terms

Tag Value Note
Filename extension See related format.  See EWF_SMART, EWF_E01, EWF_L01, EWF_Ex01, and EWF_Lx01.
Magic numbers See related format.  See EWF_SMART, EWF_E01, EWF_L01, EWF_Ex01, and EWF_Lx01.

Notes Explanation of format description terms

General

EWF files are a type of disk image, a format category generally used to capture and "freeze" the contents and structure of storage devices, e.g., hard drives, floppy disks, tape drives, optical discs, or USB flash drives. The target for an image may represent a portion of storage device, e.g., a disk volume or a logical drive (C:\ drive, file system, etc.). In some cases, investigators create images of a computer's physical memory (RAM).

Disk images like EWF are sometimes called "evidence grade" since they include embedded metadata about their creation, fixity data, and other elements that provide elements for a chain of evidence or an audit trail. These markers differentiate evidence grade image files from traditional computer-system backups, which may alter critical metadata like filesystem datestamps. The word forensic may be associated with any type of image file, reflecting their role in the service of law enforcement and legal investigations. After they have been created, image files are analyzed and described by sophisticated software applications in order to provide information for legal processes. However, the special features of evidence-grade images means that the adjective forensic is most often applied to this type.

Joachim Metz's descriptions (cited in Useful references below) differentiate members of the EWF family in various ways, including in terms of the quantities of sections established for each. It is hard not to see the ever-growing list of section names as a progression that reflects the developers' growing recognition of the range and extent of information they wished to categorize and manage. EWF_SMART, the first to be defined, has four sections; EWF_E01, part of the second wave, has the same four and nine more (total of 13); and EWF_L01, the other part of the second wave, adds two more (total of 15). The third wave, consisting of EWF_Ex01 and EWF_Lx01, offers 20 sections, many of which carry new names (and, to a degree, have been reconceived), a marker of EnCase's rethinking of their "version 2" formats. Lists of sections are provided in the EWF descriptions on this Web site.

History The dates on specifications and other documents suggest the following chronology:
  • 1998: Simson Garfinkel reports that both Guidance Software (later used the brand EnCase) and ASR Data (later used the brand SMART) had disk image formats in play, apparently both called Expert Witness. It is worth noting that competition between these companies, later joined by AccessData (FTK Toolkit) and others, mainly pertains to the analytic capabilities of their software; the disk image data-and-wrapper format itself is somewhat incidental, although still a source of contention.
  • 1999: Document related to a legal action brought by ASR Data against Guidance Software regarding Guidance's use and labeling of EWF images. The action forbids Guidance from using ASR's trademark "Expert Witness."
  • 2002: ASR Data publishes the revised Expert Witness File Format Specification.
  • 2006-2010: Period during which Joachim Metz carried out the bulk of his reverse engineering of the "first version" EWF specifications, especially Guidance-EnCase's EWF_E01 and EWF_L01. This documentation was intended to support Metz's development of the open source EWF code library libewf, which continued to evolve as time passed (at this writing, the latest version is here).
  • 2012: Metz documents Guidance-EnCase's version 2 formats, EWF_Ex01 and EWF_Lx01.

Format specifications Explanation of format description terms


Useful references

URLs


Last Updated: Monday, 27-Feb-2017 09:55:16 EST