Description |
Second version of the EWF bitstream or forensic image format from Guidance Software (EnCase brand), generally similar to the description offered in EWF_Family. According to Joachim Metz, Guidance's official name for this format
and its EWF_Lx01 counterpart is EnCase Evidence File Format Version 2. For this and the counterpart EWF_Lx01 format, Metz reports that the data is either compressed or uncompressed, although the "no compression" option seems not to be supported in applications. If compressed, the choices are the open-source program BZip2 or LZ; unlike EnCase's first version formats, multiple levels of compression are no longer offered. Metz's note about LZ compression mentions deflate, RFC1950, and zlib.
EWF_Ex01 (and the counterpart EWF_Lx01) files contain 20 sections. The following list is based on Metz's analysis, which provides section type values for all of the sections; Metz uses the section type value when referring to the two "unknown" sections.
- Device information
- Case data
- Sector data
- Sector table
- Error table
- Session table
- Increment data
- MD5 hash
- SHA1 hash
- Restart data
- Encryption keys
- Memory extents table
- Next
- Final information
- Done
- Analytical data
- Single files data
- Single files (unknown table, section type value 0x00000021)
- Single files MD5 hash table
- Single files (unknown table, section type value 0x00000023)
|