I'm looking at a disk image created with Xways and the file system is showing as 'unknown' and I suspect whole disk encryption has been used. The first sectors of the drive show 'WSF0.4'.
Does anyone know if this is what I think it is?
I'm also trying to find some sort of list that shows known encryption headers for various software but not having any joy.
You may ask jaclaz - he is genius in this domain.
I take it the disk is from a computer or similar device not a CCTV system?
I'm looking at a disk image created with Xways and the file system is showing as 'unknown' and I suspect whole disk encryption has been used.
On any definite grounds? (Say, estimated entropy of disc content?)
The first sectors of the drive show 'WSF0.4'.
Details, please. Where do they show WSF0.4? Everywhere?
Is there boot code on the disk? In what kind of computer (what CPU?) was it mounted?
Does the history of the disk support the hypothesis of full disc encryption?
I'm also trying to find some sort of list that shows known encryption headers for various software but not having any joy.
That's something that would be enormously useful, if done carefully. Perhaps as a repository of images of encrypted disks. Don't know of any myself.
You can sometimes find astonishing signatures in the file(1) library of file patterns. Try it on the latest update if you haven't already.
The only related tool I know is EDD, but as it doesn't seem to have been updated for a couple of years, I'm not sure if it is useful.
You may ask jaclaz - he is genius in this domain.
Theres no reply from him within 1hr of posting, this is very unusual.
WSF0.4 Header is a DVR drive
Thanks for the reply peoples. Unfortunately I don't have a lot of extra info, I wasn't at the warrant when the drive was located, but my information is that it was just sitting loose on a desk.
einstein9 thank you, I do vaugely recall seeing that header on drives pulled from CCTV systems in the past now that you mention it, so now i've got a direction to go digging.