Sustainability of Digital Formats: Planning for Library of Congress Collections

Introduction | Sustainability Factors | Content Categories | Format Descriptions | Contact
Format Description Categories >> Browse Alphabetical List

Expert Witness Disk Image, EnCase Ex01 Bitstream

>> Back
Table of Contents
Format Description Properties Explanation of format description terms

Identification and description Explanation of format description terms

Full name Expert Witness Compression Format, EnCase Ex01 Bitstream
Description

Second version of the EWF bitstream or forensic image format from Guidance Software (EnCase brand), generally similar to the description offered in EWF_Family. According to Joachim Metz, Guidance's official name for this format and its EWF_Lx01 counterpart is EnCase Evidence File Format Version 2. For this and the counterpart EWF_Lx01 format, Metz reports that the data is either compressed or uncompressed, although the "no compression" option seems not to be supported in applications. If compressed, the choices are the open-source program BZip2 or LZ; unlike EnCase's first version formats, multiple levels of compression are no longer offered. Metz's note about LZ compression mentions deflate, RFC1950, and zlib.

EWF_Ex01 (and the counterpart EWF_Lx01) files contain 20 sections. The following list is based on Metz's analysis, which provides section type values for all of the sections; Metz uses the section type value when referring to the two "unknown" sections.

  • Device information
  • Case data
  • Sector data
  • Sector table
  • Error table
  • Session table
  • Increment data
  • MD5 hash
  • SHA1 hash
  • Restart data
  • Encryption keys
  • Memory extents table
  • Next
  • Final information
  • Done
  • Analytical data
  • Single files data
  • Single files (unknown table, section type value 0x00000021)
  • Single files MD5 hash table
  • Single files (unknown table, section type value 0x00000023)
Production phase Typically used for data analysis and not part of a process to create new content. May be used to archive data.
Relationship to other formats
    Subtype of EWF_Family, Expert Witness Format (EWF) Family
    Has earlier version EWF_E01, Expert Witness Format, Encase E01 Bitstream

Local use Explanation of format description terms

LC experience or existing holdings  
LC preference  

Sustainability factors Explanation of format description terms

Disclosure Open documentation produced via reverse engineering by Joachim Metz.
    Documentation EWF 2 specification: Expert Witness Compression Format version 2 specification
Adoption In archives (as distinct from legal and law enforcement settings), where tools like Bit Curator and FTK Imager are in wide use, user comments suggest that the EWF_E01 and AFF (description forthcoming) bitstream formats are more widely used than EWF_Ex01.
    Licensing and patents Not investigated at this writing.
Transparency See EWF_family
Self-documentation See EWF_family
External dependencies None
Technical protection considerations See EWF_family

Quality and functionality factors Explanation of format description terms


File type signifiers and format identifiers Explanation of format description terms

Tag Value Note
Filename extension Ex01
Filename extensions for the first 99 content segments are .Ex01, .Ex02, through .Ex99; followed by .ExAA, .ExAB, and so on.
Magic numbers Hex: 45 56 46 32 0D 0A 81 00
ASCII: EVF2....
From Gary Kessler's File Signatures Table.
Pronom PUID Not found.  Comments welcome.   

Notes Explanation of format description terms

General  
History  

Format specifications Explanation of format description terms


Useful references

URLs


Last Updated: 12/27/2022