Does anyone know the file format of the EnCase evidence files?
I have an EnCase image that is corrupt, i need to pull off just the image within the evidence file. Is there a software that repairs corrupt EnCase evidence files?
Thanks.
Sub
Sub,
Have you tried the EnCase list(s)/forum(s) at Guidance Software? My understanding is that they have some pretty good info over there…you just need to be a registered user.
H. Carvey
"Windows Forensics and Incident Recovery"
http//
http//windowsir.blogspot.com
There was some talk about this as a feature request on the Guidance forum. To my knowledge nothing has been added to date. I'm not sure what is corrupt, but it would seem that if the corruption were in the data portion of the evidence file you would be able to open the image, it would just not verify. Have you looked at the image with a hex editor? Perhaps the problem is in the header and you can fix it by cutting & pasting one from a good evidence file.
Hi,
I believe SMART for linux may be able to access corrupt encase files. Providing its not the first few sectors of the EO1 file, you should be able to access everything apart from the corrupt data. Hope this helps.
This may be of some help to you…….
http//
This paper documents the 'Expert Witness" file format, which became the Encase file format.
Regards
Zyborski