I hope someone can help me. I am doing research into different forensic image formats.
I know the E01 format is very common and there is lots of technical information about it. However, I am struggling to find much about the "Logical Evidence" format or L01 file.Â
I have found this specification but it isn't very clear how a L01 differs from an E01 file? They look very similar but seem to have a completely different purpose.Â
Please, what are the practical differences between a L01 and E01?Â
Basically, the EWF (.e01) files are nothing but a RAW (dd-like) copy of ALL "physical" contents of a device stored in a proprietary (compressed) archive, whilst the LEF files (.l01) are a (compressed) archive of the files in a volume (or in the file system), i.e the "logical" contents, nothing conceptually different from a normal .zip or .7z archive.
Loosely, the EWF contain everything that is on the device (including unallocated clusters, empty areas, non partitioned space, deleted files, everything, as it contains all physical sectors exactly as they are in the original), the LEF contains only what the OS can normally "see" at logical level, i.e. files and directories.
jaclaz
Yes, thank you. This is what I understood too.
The thing I haven't been able to find out is how it works inside. The E01 format records a compressed copy of the whole media sector-by-sector. The L01 format only contains the logical contents but is stored in a very similar format to E01. This suggests it works like a file system but I haven't been able to find any information about how this works, if it has an index (like a directory tree) or what limitations it may have.
Please does anyone know how L01 works on the inside?
For that you will need to read the documentation and examine/study the source code of libewf, I believe.
https://github.com/libyal/libewf
BTW almost *any* (compressed) archive format is (or can be rendered as) a (read-only) file system, basically what a (read only) file system does:
1) store a number of "chunks" that have a name, some metadata like dates, times, size, permissions, etc.
2) provide an index where the location/extents of such "named chunks" are
3) provide optionally some means to verify the integrity of these "named chunks"
4) allow to retrieve these chunks
what a (compressed) archive does:Â
1) store a number of (compressed) "chunks" that have a name, some metadata like dates, times, size, permissions, etc.
2) provide an index where the location/extents of such "named chunks" are
3) provide optionally some means to verify the integrity of these "named chunks"
4) allow to retrieve these chunks by decompressing them
And both are also a form of database (i.e. and indexed and retrievable set of records) , so the three terms (file system, archive or database) are pretty much interchangeable.
jaclaz
