Join Us!

EnCase evidence fil...
 
Notifications
Clear all

EnCase evidence file format  

  RSS
sdhar
(@sdhar)
New Member

Does anyone know the file format of the EnCase evidence files?

I have an EnCase image that is corrupt, i need to pull off just the image within the evidence file. Is there a software that repairs corrupt EnCase evidence files?

Thanks.
Sub

Quote
Posted : 12/09/2005 5:51 pm
keydet89
(@keydet89)
Community Legend

Sub,

Have you tried the EnCase list(s)/forum(s) at Guidance Software? My understanding is that they have some pretty good info over there…you just need to be a registered user.

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

ReplyQuote
Posted : 13/09/2005 7:04 am
gmarshall139
(@gmarshall139)
Active Member

There was some talk about this as a feature request on the Guidance forum. To my knowledge nothing has been added to date. I'm not sure what is corrupt, but it would seem that if the corruption were in the data portion of the evidence file you would be able to open the image, it would just not verify. Have you looked at the image with a hex editor? Perhaps the problem is in the header and you can fix it by cutting & pasting one from a good evidence file.

ReplyQuote
Posted : 13/09/2005 7:55 am
Wardy
(@wardy)
Active Member

Hi,
I believe SMART for linux may be able to access corrupt encase files. Providing its not the first few sectors of the EO1 file, you should be able to access everything apart from the corrupt data. Hope this helps.

ReplyQuote
Posted : 14/10/2005 3:50 pm
zyborski
(@zyborski)
New Member

This may be of some help to you…….

http//www.asrdata.com/SMART/whitepaper.html

This paper documents the 'Expert Witness" file format, which became the Encase file format.

Regards

Zyborski

ReplyQuote
Posted : 15/10/2005 8:18 pm
Share: