Sustainability of Digital Formats: Planning for Library of Congress Collections

Introduction | Sustainability Factors | Content Categories | Format Descriptions | Contact
Format Description Categories >> Browse Alphabetical List

Expert Witness Disk Image, EnCase E01 Bitstream

>> Back
Table of Contents
Format Description Properties Explanation of format description terms

Identification and description Explanation of format description terms

Full name Expert Witness Compression Format, EnCase E01 Bitstream
Description

First version of the EWF bitstream or forensic image format from Guidance Software (EnCase brand), generally similar to the description offered in EWF_Family. This and the counterpart EWF_L01 format offer three levels of compression: "no," "good," and "best."

EWF_E01 files contain 13 sections; the first four are carried over from EWF_SMART:

  • Header section
  • Volume section
  • Table section
  • Next and Done section
  • Header2 section
  • Disk section
  • Sectors section
  • Table2 section
  • Data section
  • Errors2 section
  • Session section
  • Hash section
  • Digest section
Production phase Typically used for data analysis and not part of a process to create new content. May be used to archive data.
Relationship to other formats
    Subtype of EWF_Family, Expert Witness Format (EWF) Family
    Has later version EWF_Ex01, Expert Witness Format, Encase Ex01 Bitstream

Local use Explanation of format description terms

LC experience or existing holdings EWF_E01 disk images are produced by the Tangible Media Preservation Project, which began in or about 2013.
LC preference  

Sustainability factors Explanation of format description terms

Disclosure Open documentation produced via reverse engineering by Joachim Metz.
    Documentation EWF specification: Expert Witness Compression Format specification
Adoption In archives (as distinct from legal and law enforcement settings), where tools like Bit Curator and FTK Imager are in wide use, user comments suggest that EWF_E01 is one of the more frequently employed formats.
    Licensing and patents Not investigated at this writing.
Transparency See EWF_family
Self-documentation See EWF_family
External dependencies None
Technical protection considerations See EWF_family

Quality and functionality factors Explanation of format description terms


File type signifiers and format identifiers Explanation of format description terms

Tag Value Note
Filename extension E01
Filename extensions for the first 99 content segments are .E01, .E02, through .E99; followed by .EAA, .EAB, and so on.
Magic numbers Hex: 45 56 46 09 0D 0A FF 00
ASCII: EVF...ΓΏ.
From Gary Kessler's File Signatures Table.
Pronom PUID fmt/803
 

Notes Explanation of format description terms

General

Joachim Metz's analysis highlights the details of this format, including variation in the structure of .E01 headers, in part depending on the version of the EnCase tool used to create the file (pp. 5-13), note on the .E01 header when a file is created by FTK Imager (p. 14), and notes on variations in the volume section according to the creating application (pp. 18-20).

History  

Format specifications Explanation of format description terms


Useful references

URLs


Last Updated: 07/27/2017