Hi
I am a student doing my final year project. I plan to make a set of java tools to analyse Encase image files, validate MD5, CRC and to examine header information. I would also like to be able to extract the image file(s) so that i can then analyse files within it to create a timeline functionality by looking at certain files and certain folder destinations.
I know the encase file structure is based on the Expert Witness Compression Format and that programs such as FTK can extract these files but i would like to know how it is done. Preferably a would like an exe that my program could execute that would extract the files.
Is any of this possible?
Thanks
Encase image file format
Perhaps the de facto standard for forensic analyses in law enforcement, Guidance Software's EnCase Forensic uses a closed format for images. This format is heavily based on ASR Data's Expert Witness Compression Format. EnCase's Evidence File (.E01) format contains a physical bitstream of an acquired disk, prefixed with a "Case Info" header, interlaced with CRCs for every block of 64 sectors (32 KB), and followed by a footer containing an MD5 hash for the entire bitstream. Contained in the header are the date and time of acquisition, an examiner's name, notes on the acquisition, and an optional password; the header concludes with its own CRC.
Not only is the format is compressible, it is also searchable. Compression is block-based, and jump tables and "file pointers" are maintained in the format's header or between blocks "to enhance speed". Disk images can be split into multiple segment files (e.g., for archival to CD or DVD).
Up to version 5 of EnCase the segment files could be no larger than 2 GB. This restriction has been removed using a work around the 31-bit offset values in version 6 of EnCase.
The format restricts the type and quantity of metadata that can be associated with an image. Extended EWF (EWF-X) defined by the libewf project provides a work around for this restriction specifying a new header and (digest) hash section using XML string to store the metadata. These EWF-X E01 files are compatible with EnCase and allow to store more metadata.
Though some have reverse-engineered the format for compatibility's sake, Guidances extensions to the format remains closed.
ASR White paper
http//
I know the encase file structure is based on the Expert Witness Compression Format and that programs such as FTK can extract these files but i would like to know how it is done. Preferably a would like an exe that my program could execute that would extract the files.
Is any of this possible?
Check out
There is also a pdf that you can download explaining the structure of EWF files.
A note of warning libewf is published under the LGPLv3 licensing so don't try to copy any of the code unless you follow the licensing agreement.
Paul
Use libewf then use JNILIB in java.
I use this system when I need to do a spiffy GUI front end without reverting to C++ ,then I write the lowlevel important stuff in C++ tied back to java.
Finally package it all up , as a java executable.
This allows you to concentrate on the job of display and extraction , without having to deal with the real low level stuff, also as bug fixes are made to libewf, your program is automatically improved , without you having to plow thrugh the code and work out your own fixes.