EnCase evidence fil...
 
Notifications
Clear all

EnCase evidence file format

5 Posts
5 Users
0 Reactions
849 Views
(@sdhar)
New Member
Joined: 20 years ago
Posts: 1
Topic starter  

Does anyone know the file format of the EnCase evidence files?

I have an EnCase image that is corrupt, i need to pull off just the image within the evidence file. Is there a software that repairs corrupt EnCase evidence files?

Thanks.
Sub


   
Quote
keydet89
(@keydet89)
Famed Member
Joined: 20 years ago
Posts: 3568
 

Sub,

Have you tried the EnCase list(s)/forum(s) at Guidance Software? My understanding is that they have some pretty good info over there…you just need to be a registered user.

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com


   
ReplyQuote
(@gmarshall139)
Reputable Member
Joined: 20 years ago
Posts: 378
 

There was some talk about this as a feature request on the Guidance forum. To my knowledge nothing has been added to date. I'm not sure what is corrupt, but it would seem that if the corruption were in the data portion of the evidence file you would be able to open the image, it would just not verify. Have you looked at the image with a hex editor? Perhaps the problem is in the header and you can fix it by cutting & pasting one from a good evidence file.


   
ReplyQuote
Wardy
(@wardy)
Estimable Member
Joined: 19 years ago
Posts: 149
 

Hi,
I believe SMART for linux may be able to access corrupt encase files. Providing its not the first few sectors of the EO1 file, you should be able to access everything apart from the corrupt data. Hope this helps.


   
ReplyQuote
(@zyborski)
Active Member
Joined: 20 years ago
Posts: 12
 

This may be of some help to you…….

http//www.asrdata.com/SMART/whitepaper.html

This paper documents the 'Expert Witness" file format, which became the Encase file format.

Regards

Zyborski


   
ReplyQuote
Share: