Libewf - Expert Witness Compression Format (EWF) .Asciidoc at Master Libyal - Libewf GitHub

28/8/2020 libewf/Expert Witness Compression Format (EWF).
asciidoc at master · libyal/libewf · GitHub
libyal / libewf
Code Issues 22 Pull requests 5 Actions Projects Wiki Security Insights
Dismiss
Join GitHub today
GitHub is home to over 50 million developers
working together to host and review code, manage
projects, and build software together.
Sign up
master
libewf / documentation / Expert Witness Compression Format (EWF).asciidoc

Go to file T
Go to line L
joachimmetz Worked on tests and code clean up
Copy path
2 contributors
Raw Blame
3888 lines (3064 sloc) 138 KB
EWF specification
Summary
EWF is short for Expert Witness Compression Format, according to [ASR02] . It is a file
type used to store media images for forensic purposes. It is currently widely used in the
field of computer forensics in proprietary tooling like EnCase en FTK. The original
specification of the format is provided by ASRDATA, for the SMART application.
The EWF format was succeeded by the Expert Witness Compression Format version 2 in
EnCase 7 (EWF2-Ex01 and EWF2-Lx01). EnCase 7 also uses a different version of EWF-
L01 then its predecessors.
https://github.com/libyal/libewf/blob/master/documentation/Expert Witness Compression Format %28EWF%29.asciidoc 1/111

28/8/2020 libewf/Expert Witness Compression Format (EWF).asciidoc at master · libyal/libewf · GitHub
This document is intended as a working document for the EWF specification. Which
should allow existing Open Source forensic tooling to be able to process this file type.
Document information
Author(s): Joachim Metz <joachim.metz@gmail.com>
Abstract: This document contains the EWF file format specification.
Classification: Public
Expert Witness Compression Format, EWF, EnCase file format,

Keywords:
SMART
License
Copyright (C) 2006-2019, Joachim Metz <joachim.metz@gmail.com>.

Permission is granted to copy, distribute and/or modify this document under the
terms of the GNU Free Documentation License, Version 1.3 or any later version
published by the Free Software Foundation; with no Invariant Sections, no
Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included
in the section entitled "GNU Free Documentation License".
Revision history
Version Author Date Comments
J.B.
0.0.1 March 2006 Initial version
Metz
J.B.
0.0.2 March 2006 Additional information.
Metz
J.B.
Metz
J.B.
Metz

J.B. Additional information, regarding data

0.0.5 March 2006
Metz and header2 section.

0.0.6 March 2006
Metz and header2 section.
J.B. Additional information, regarding data,

0.0.7 March 2006
Metz hash and header2 section.

0.0.8 March 2006
Metz section.
Additional information, regarding chunk

J.B.
0.0.9 March 2006 and compression, offset array CRC and
Metz
error2 section.
J.B. Correction regarding EnCase 3 and

0.0.10 March 2006
Metz compression MSB.
J.B.
0.0.11 March 2006 Additions regarding EnCase 2.
Metz
Small changes regarding unknown in

volume and data. Removed some
J.B.
0.0.12 March 2006 spelling errors. Added the information
Metz
regarding when a chunk is compressed
or not.
J.B.
0.0.13 April 2006 Additions regarding EnCase 1.
Metz
J.B.
0.0.14 April 2006 Additions regarding byte order.
Metz
J.B.
0.0.15 April 2006 Additions regarding disk section.
Metz

J.B. Small adjustments regarding header

0.0.16 April 2006
Metz section.
J.B. Adjustments in error2 section

0.0.17 April 2006
Metz information.
J.B. Adjustments in hash section

0.0.18 May 2006
Metz information.
J.B. Fixed error in EnCase 4 header2 layout

0.0.19 August 2006
Metz information.
Added information regarding SMART

J.B. format generated by FTK Imager.
0.0.20 August 2006
Metz Corrected error about gzip compression
in header section.
J.B. Added information regarding SMART

0.0.21 August 2006
Metz format generated by FTK Imager.
J.B. Added information about segment file

0.0.22 August 2006
Metz extension naming.
J.B. Added information about EWF-L01 (LVF)

0.0.23 September 2006
Metz format.
J.B. Added information from EWF-L01

Metz analysis.
J.B. Changes after comments by Guy

Metz Voncken.
J.B. Corrected error regarding EnCase 1 and

0.0.26 October 2006
Metz SMART header specification.
J.B.
0.0.27 October 2006 Added theoretical maximum media size.
Metz

Additional information about section

J.B.
0.0.28 October 2006 start size in EnCase (EWF-E01) next and
Metz
done sections.
J.B. Additional information about CRC

0.0.29 November 2006
Metz algorithm.
Fixed error regarding the location of the

J.B. actual chunks in the EnCase 1 format,
Metz which actually is the table sections and
not the sectors section.
J.B. Additional information about the EnCase

Metz linen 5 (EWF-E01) format.
J.B.
0.0.32 December 2006 Additional information about GUID.
Metz
J.B. Corrected error regarding header

0.0.33 December 2006
Metz sections in EnCase 1 format.
Added new information regarding the

J.B. table section after encountering a bug in
Metz FTK for EWF files with more than 16 x
1024 offset table entries.
Corrected misinterpretation of original

J.B.
0.0.35 December 2006 specifications, regarding additional table
Metz
sections.
J.B.
0.0.36 January 2007 Added information about EnCase 6.
Metz
J.B.
0.0.37 January 2007 Added information about linen 6.
Metz

Added information about

J.B. EnCase6/linen6 header.
0.0.38 January 2007
Metz Adjustments regarding media type and
media flags.
J.B.
0.0.39 January 2007 Added information about header values.
Metz
J.B.
0.0.40 January 2007 Added information about EWF-X
Metz
J.B. Added information about EnCase 6.7

0.0.41 August 2007
Metz >2Gb segment file support.
Added information about EnCase 6.7

J.B.
0.0.42 August 2007 >2Gb segment file support and CD/DVD
Metz
image session sector.

Metz >2Gb segment file support.
J.B.
0.0.44 September 2007 Added page numbers.
Metz
J.B. Added information about session

Metz section.
J.B. Added information about session

0.0.46 March 2008
Metz section.
J.B. Added information about EnCase 6

0.0.47 March 2008
Metz >2GiB segment file format.
J.B.
0.0.48 June 2008 Textual corrections.
Metz

0.0.49 June 2008
Metz winen file format.


0.0.50 February 2009
Metz SHA1 hash support and header values.
J.B. Added information about EnCase

0.0.51 April 2009
Metz software version header value limitation.

0.0.52 April 2009
Metz Tableau write blocker support.
J.B.
0.0.53 November 2009 Small changes.
Metz
J.B. December 2009
0.0.54 Added information about ltree section.
Metz January 2010
J.B.
0.0.55 January 2010 Update for linen 6.12 and later.
Metz
J.B. Corrected amount of into number of.

0.0.56 May 2010
Metz Email change
J.B.
0.0.57 September 2010 Minor changes.
Metz
J.B.
0.0.58 September 2010 Changed CRC to checksum.
Metz
Additional session section information

with thanks to M. Nohr
J.B.
0.0.59 October 2010 Updated some tables to the newer
Metz
format.
Minor changes.
Minor changes and improvements with

J.B. thanks to G. Voncken.
Metz Updated some tables to the newer
format.

License version update

Additional information about optical
J.B.
0.0.61 December 2010 discs.
Metz
Additional information about AD
encryption.
J.B.
0.0.62 January 2011 Minor changes
Metz
J.B. Additional audio tracks information with

Metz thanks to M. Nohr
J.B.
0.0.64 May 2011 Changes to FTK imager format
Metz
Updated Logical File Evidence (LVF)

J.B.
0.0.65 June 2011 format flag information with thanks to B.
Metz
Baron.
Updated Logical File Evidence (LVF)

J.B.
0.0.66 September 2011 format flag information with thanks to
Metz
N. Harris
J.B. Small refinement in compressed vs

Metz uncompressed chunk data.
J.B. Added information about EnCase header

Metz values limitations thanks to G. Voncken.
Added information about EnCase 6.19

J.B. and 7, EWF-E01 and EWF-L01 format.
0.0.69 June 2012
Metz Email change; text clean up; some
corrections and additions.
J.B. Changes to match EWF version 2

0.0.70 July 2012
Metz documentation.

J.B.
0.0.71 July 2012 Updates regarding ltree header.
Metz
Updates files created by Expert Witness

J.B.
0.0.72 July 2012 1.35 (for Windows).
Metz
Other small corrections.
J.B.
0.0.73 August 2012 Updates regarding ltree header.
Metz
Updates regarding incomplete section

J.B. and corruption scenarios with thanks to
0.0.74 August 2012
Metz B. Johnson for pointing out the dual
image scenario.
J.B. Additional information regarding L01

Metz map entry.
J.B. Corrected some typos, thanks to A.

0.0.76 January 2013
Metz Bridge for pointing these out.
Additional information regarding

J.B.
0.0.77 March 2013 Logicube created E01 files with thanks to
Metz
D. Kovar and Digital Assembly LLC.
Improved description of zlib compressed

data format (RFC1950) and deflate
J.B. compression (RFC1951).
0.0.78 March 2013
Metz Updated the information regarding
Logicube products and the data section
checksum behavior.
J.B.
0.0.79 August 2015 Switched to asciidoc format.
Metz
J.B.
0.0.80 April 2016 Updates regarding ltree.
Metz

Z.
0.0.81 May 2017 Details of AD encryption
Travis
Formatting changes and additional

J.B.
0.0.82 December 2019 information regarding L01 files with
Metz
thanks to K. Stone.
1. Overview
The Expert Witness Compression Format (EWF) is used to store media images. It allows
to store disk and partition images, compressed or non-compressed. EWF can store a
single image in one or more segment files. Each segment file consist of a standard
header, followed by multiple sections. A single section cannot span multiple files.
Sections are arranged back-to-back.
Specifications:
In this document when referred to the EWF format it refers to the original
specification by [ASR02] . The newer formats like that of EnCase are deducted from
the original specification and will be referred to as the EWF-E01, because of the
default file extension. Whereas the Logical File Evidence (LVF) format introduced in
EnCase 5, which is also stored in the EWF format will be referred to as EWF-L01.
The SMART format is viewed separately to allow for discussion if the
implementation differs from the specification by [ASR02] and will be referred to as
the EWF-S01, because of the default file extension.
All offsets are relative to the beginning of an individual section, unless otherwise
noted. EnCase allows a maximum size of a segment file to be 2000 MiB. This has to
do with the size of the offset of the chunk of media data. This is a 32 bit value
where the most significant bit (MSB) is used as a compression flag. Therefore the
maximum offset size (31 bit) can address about 2048 MiB. In EnCase 6.7 an
addition was made to the table value to provide for a base offset to allow for
segment files greater than 2048 MiB.
A chunk is defined as the sector size (per default 512 bytes) multiplied by the block
size, the number of sectors per chunk (block) (per default 64 sectors). The data
within the EWF format is stored in little-endian. The terms block and chunk are
used intermittently.
1.1. Test version

The following version of programs were used to test the information within this
document:
FTK Imager 2.3, 2.4, 2.51, 2.9, 3.0 (Windows)
Expert Witness 1.35 (for Windows) (EnCase 1.35)
EnCase 1.99l (Windows)
EnCase 2.17a (DOS)
EnCase 3.21b (Windows)
EnCase 4.22 (Windows)
EnCase 5.04a, 5.05 (Windows)
EnCase 6.1, 6.7, 6.8, 6.10, 6.11, 6.12, 6.13, 6.14, 6.19 (Windows)
EnCase 7.04 (Windows)
Linen 5 (Linux)
Linen 6.01, 6.19 (Linux)
Linen 7.01 (Linux)
EnCase 7 no longer provides the fast and best compression options.
2. Segment file
EWF stores data in one or more segment files (or segments). Each segment file consists
of:
A file header.
One or more sections.
2.1. File header

Each segment file starts with a file header.
[ASR02] defines that the file header consists of 2 parts, namely:
a signature part
fields part
2.1.1. EWF, EWF-E01 and EWF-S01

This is file header is defined by [ASR02] and both used by the EWF-E01 and EWF-S01
formats.
The file header is 13 bytes of size and consists
Offset Size Value Description
Signature
0 8
"EVF\x09\x0d\x0a\xff\x00"
8 1 0x01 Start of fields
Segment number
9 2
Must be 1 or higher
11 2 0x0000 End of fields
Segment number contains a number which refers to the number of the segment file,
starting with 1 for the first file.
This means there could only be a maximum of 65535 (0xffff) files, if it is an

Note
unsigned value.
2.1.2. EWF-L01
This is file header is used by the EWF-L01 format.
The file header is 13 bytes of size and consists
Signature
0 8
"LVF\x09\x0d\x0a\xff\x00"
8 1 0x01 Start of fields
Segment number
9 2
Must be 1 or higher
11 2 0x0000 End of fields
Segment number contains a number which refers to the number of the segment file,
starting with 1 for the first file.
This means there could only be a maximum of 65535 (0xffff) files, if it is an

Note
unsigned value.
2.2. Segment file extensions

Both the SMART (EWF-S01) and the EWF-E01 use a different approach for naming the
segment files.
2.2.1. EWF-S01
The EWF-S01 extension naming has two distinct parts.
The first segment file has the extension '.s01'.
The next segment file has the extension '.s02.
This will continue up to '.s99'.
After which the next segment file has the extension '.saa'.
The next segment file has the extension '.sab'.
This will continue up to '.saz'.
The next segment file has the extension '.sba'.
This will continue up to '.szz'.
The next segment file has the extension '.faa'.
This will continue up to '.zzz'. (verify this; and then ?)
It will even continue to the use the extensions '.{aa'. (not confirmed)
libewf supports extensions up to .zzz
2.2.2. EWF-E01
The EWF-E01 extension naming has two distinct parts.
The first segment file has the extension '.E01'.
The next segment file has the extension '.E02.
This will continue up to '.E99'.
After which the next segment file has the extension '.EAA'.
The next segment file has the extension '.EAB'.

This will continue up to '.EAZ'.
The next segment file has the extension '.EBA'.
This will continue up to '.EZZ'.
The next segment file has the extension '.FAA'.
This will continue up to '.ZZZ'. (verify this; and then ?)
It will even continue to the use the extensions '.[AA'. (not confirmed)
libewf supports extensions up to .ZZZ
2.2.3. EWF-L01
The EWF-L01 extension naming has two distinct parts.
The first segment file has the extension '.L01'.
The next segment file has the extension '.L02.
This will continue up to '.L99'.
After which the next segment file has the extension '.LAA'.
The next segment file has the extension '.LAB'.
This will continue up to '.LAZ'.
The next segment file has the extension '.LBA'.
This will continue up to '.LZZ'.
The next segment file has the extension '.MAA'.
This will continue up to '.ZZZ'. (verify this; and then ?)
It will even continue to the use the extensions '.[AA'. (not confirmed)
libewf supports extensions up to .ZZZ
2.3. Segment file set identifier GUID

Segment file sets do not have a strict unique identifier. However the volume section
contains a GUID that can be used for this purpose. Where:
linen 5 to 6 use a time and MAC address based version (1) of the GUID
EnCase 5 to 7 and linen 6 to 7 use a random based version (4) of the GUID

In linen 6 the switch from a version 1 to 4 GUID was somewhere made between
version 6.01 and 6.19.
See RFC4122 for more information about the different GUID versions.
3. The sections
The remainder of the segment file consists of sections. Every section starts with the
same data this will be referred to as the section descriptor (previously referred to as
section start). The section descriptor could also be referred as the section header, but
this allows for unnecessary confusion with the header section.
3.1. Section descriptor

The section descriptor consist of 76 bytes, it contains information about a specific
section.
A string containing the section type definition.

0 16
E.g. "header", "volume", etc.
Next section offset

16 8
The offset is relative from the start of the segment file
24 8 Section size
32 40 0x00 Padding
Checksum
72 4 Adler-32 of all the previous data within the section
descriptor.
Some sections contain additional data, refer to paragraph section types for more
information.
In EnCase 2 DOS version the padding itself does not contains zero byte
Note
values but data, probably the memory is not wiped.
Note Expert Witness 1.35 (for Windows) does not set the section size.
3.2. Section types

There are multiple section types. [ASR02] defines the following:
Header section
Volume section
Table section
Next and Done section
Looking at more recent EnCase file (EWF-E01) formats and [COH] additional section
types were found:
Header2 section
Disk section
Sectors section
Table2 section
Data section
Errors2 section
Session section
Hash section
Digest section
Looking at the more recent EnCase file (EWF-L01) format additional section types were
found:
Ltree section
Ltypes section
3.3. Header2 section

The header2 section is identified in the section data type field as "header2". Some
aspects of this section are:
Found in EWF-E01 in EnCase 4 to 7, and EWF-L01 in EnCase 5 to 7
Found at the start of the first segment file. Not found in other segment files.
The same header2 section is found twice directly after one and other.
The additional data this section contains is the following:

Offset Number of bytes Description
76 (0x4c) (variable) Information about the acquired media.
The information about the acquired media consists of zlib compressed data (see
section: Compression). It contains text in UTF16 format specifying information about
the acquired media. The text multiple lines separated by an end of line character(s).
The first 2 bytes of the UTF16 string are the byte order mark (BOM):
0xff 0xfe for UTF-16 litte-endian
0xfe 0xff for UTF-16 big-endian
In the next paragraphs the various variants of the header2 section are described.
3.3.1. EnCase 4 (EWF-E01)
In EnCase 4 (EWF-E01) the header2 information consist of 5 lines, and contains the
equivalent information as the header section.
Line number Value Description
1 1 The number of categories provided
2 main The name/type of the category provided
3 Identifiers for the values in the 4th line
4 The data for the different identifiers in the 3rd line
5 (an empty line)
The end of line character(s) is a newline (0x0a).
Note This end of line character differs from the one used in the header section.
The 3rd and the 4th line consist of the following tab (0x09) separated values.
Identifier Character in
Value in 4th line
number 3rd line
1 a Unique description

Value in 4th line
number 3rd line
2 c Case number
3 n Evidence number
4 e Examiner name
5 t Notes
Version
6 av
The EnCase version used to acquire the media
Platform
7 ov The platform/operating system used to
acquire the media
8 m Acquisition date and time
9 u System date and time
10 p Password hash
For more information see section: Header2 values
Note The hashing algorithm is the same as for the header section.
3.3.2. EnCase 5 to 7 (EWF-E01)
In EnCase 5 to 7 (EWF-E01) the header2 information consist of 17 lines, and contains:
3 Identifier for the values in the category

4 The data for the different identifiers in the category
5 (an empty line)
The name/type of the category provided

6 srce
See section: Sources category
10
11 (an empty line)
The name/type of the category provided

12 sub
See section: Subjects category
13
16
17 (an empty line)
Main category
Note The actual values in this category are dependent on the version of EnCase.

Value in 4th line
number 3rd line
2 c Case number
3 n Evidence number
4 e Examiner name
5 t Notes
The model of the media, i.e. hard disk model

6 md
(introduced in EnCase 6)
The serial number of media

7 sn
The device label

8 l
(introduced in EnCase 6.19)
Version
9 av The EnCase version used to acquire the media
EnCase limits this value to 12 characters
Platform
acquire the media
13 p Password hash
Process identifier
14 pid The identifier of the process memory acquired
(introduced in EnCase 6.12/Winen 6.11)

Value in 4th line
number 3rd line
15 dc Unknown
Extents
16 ext The extents of the process memory acquired
(introduced in EnCase 6.12/Winen 6.11)
For more information see section: Header2 values
Notes
Both the acquiry and system date and time are empty in a file created by winen.
The date values in the header section (not header2) are set to: Thu Jan 1 00:00:00 1970.
Where the time is dependent on the time zone and daylight savings.
Sources category
Line 6 the srce category contains information about acquisition sources.
TODO describe what a source is in the context of EnCase.
Line 7 consists of 2 values, namely the values are "0 1".
The 8th line consist of the following tab (0x09) separated values. Note that the actual
values in this category are dependent on the version of EnCase.
Identifier Character in 8rd

Meaning
number line
1 p
2 n
Identifier
3 id
Contains an integer identifying the source
Evidence number
4 ev
Contains a string
Total bytes
5 tb
Contains an integer


Meaning
number line
Logical offset
6 lo Contains an integer which is -1 when value
is not set
Physical offset
7 po Contains an integer which is -1 when value
is not set
MD5 hash
8 ah Contains a string with the MD5 hash of the
source
SHA1 hash
Contains a string with the SHA1 hash of the
9 sh
source
Device GUID
10 gu Contains a string with a GUID or "0" if not
set
Primary device GUID

Contains a string with a GUID or "0" if not
11 pgu
set
Acquisition date and time

12 aq
Contains an integer with a POSIX timestamp
Line 10 contains the values defined by line 8.
The default values of some of these values has changed around EnCase
Note
6.12.
If the "ha" value contains "00000000000000000000000000000000" this means the MD5

hash is not set. The same applies for the "sha" value when it contains
"0000000000000000000000000000000000000000" the SHA1 has is not set.
Subjects category
Line 12 the sub category contains information about subjects.
TODO describe what a subject is in the context of EnCase.
The 14th line consist of the following tab (0x09) separated values.

Meaning
number line
1 p
2 n
Identifier
3 id Contains an integer identifying the
subject
4 nu Unknown (Number)
5 co Unknown (Comment)
6 gu Unknown (GUID)
Line 16 contains the values defined by line 14. Note that the default values of some of
these values has changed around EnCase 6.12.
3.3.3. EnCase 5 to 7 (EWF-L01)
The EnCase 5 to 7 (EWF-E01) header2 section specification also applies to the EnCase 5
to 7 (EWF-L01) format. However:
both the acquired and system date and time are not set
3.3.4. Header2 values
Identifier Description Notes

Free form string

Unique
a Note that EnCase might not respond when this
description
value is large e.g. >= 1 MiB
Free form string

c Case number
EnCase limits this string to 3000 - 1 characters
Evidence Free form string

n
number EnCase limits this string to 3000 - 1 characters
Free form string

e Examiner name
Free form string

t Notes
Free form string

md Model
Free form string

sn Serial Number
l Device label Free form string
Free form string

av Version
Free form string

ov Platform
String containing POSIX 32-bit epoch timestamp

Acquisition date
m E.g. "1142163845" which represents the date:
and time
March 12 2006, 11:44:05

System date
u E.g. "1142163845" which represents the date:
and time
March 12 2006, 11:44:05

String containing the password hash.

p Password hash If no password is set it should be simply the
character '0'.
Process String containing the process identifier (pid)

pid
identifier number
dc Unknown
extents contains:
ext Extents number of entries
entries that consist of: S <1> <2> <3>
The restrictions were tested with EnCase 7.02.01, older versions could have
Note
a restriction of 40 characters instead of 3000 characters.
3.4. Header section

The header section is identified in the section data type field as "header". Some aspects
of this section are:
It is defined in the EWF format [ASR02] .
Found in EWF-E01 in EnCase 1 to 7 or linen 5 to 7 or FTK Imager, EWF-L01 in

EnCase 5 to 7, and SMART (EWF-S01)
Found at the start of the first segment file or in EnCase 4 to 7 after the header2
section in the first segment file. Not found in other segment files.
The additional data this section contains is the following
Offset Number of bytes Description
76 (0x4c) (variable) Information about the acquired media.
The information about the acquired media consists of zlib compressed data (see
section: Compression). It contains text in ASCII format specifying information about the
acquired media. The text multiple lines separated by an end of line character(s).
In the next paragraphs the various variants of the header section are described. In all
cases the information consists of at least 4 lines:

3 Identifiers for the values in the 4th line
An additional 5th line is found in FTK Imager, EnCase 1 to 7 (EWF-E01).
5 (an empty line)
3.4.1. EWF format
Some aspects of this section are:
[ASR02] specifies the end of line character(s) is a newline (0x0a).
According to [ASR02] the 3rd and the 4th line consist of the following tab (0x09)
separated values:
Identifier number Character in 3rd line Value in 4th line
1 c Case number
2 n Evidence number
4 e Examiner name
5 t Notes
8 p Password hash

9 r Compression level
For more information see section: Header values
[ASR02] states that the Expert Witness Compression uses 'f', fastest compression.
The header section is defined only once.
It is the first section of the first segment file. It is not found in other segment files.
The header data itself is compressed using zlib.
The end of line character(s) is a carriage return (0x0d) followed by a newline (0x0a).
The 3rd and the 4th line consist of the following tab (0x09) separated values"
1 c Case number
2 n Evidence number
4 e Examiner name
5 t Notes
8 p Password hash

3.4.3. SMART (EWF-S01)
The header section is defined once.
It is the first section of the first segment file. It is not found in other segment files.
The header data is always processed by zlib, however the same compression level
is used as for the chunks. This could mean compression level 0 which is no
compression.
The SMART format uses the FTK Imager (EWF-E01) specification for this section. Note
that this could be something FTK Imager specific.
3.4.4. EnCase 2 and 3 (EWF-E01)
The same header section defined twice.
It is the first and second section of the first segment file. It is not found in other
segment files.
The 3rd and the 4th line consist of the following tab (0x09) separated values:
Value in 4th line
number 3rd line
1 c Case number
2 n Evidence number
4 e Examiner name
5 t Notes
6 av Version

Value in 4th line
number 3rd line
Platform
acquire the media
10 p Password hash
3.4.5. EnCase 4 to 7 (EWF-E01)
The header is defined only once.
It resides after the header2 sections of the first segment file. It is not found in other
segment files.
Value in 4th line
number 3rd line
1 c Case number
2 n Evidence number
4 e Examiner name

Value in 4th line
number 3rd line
5 t Notes
6 av Version
Platform
acquire the media
10 p Password hash
3.4.6. linen 5 to 7 (EWF-E01)
The same header section defined twice.
segment files.
The header information consist of 18 lines
The remainder of the string contains the following information:
3 Identifier for the values in the 4th line

5 (an empty line)
The name/type of the section provided

6 srce
8 Identifier for the values in the section
10
11 (an empty line)
The name/type of the section provided

12 sub
13
14 Identifier for the values in the section
15
16
17 (an empty line)
Main category
Note The actual values in this category are dependent on the version of linen.

Value in 4th line
number 3rd line
2 c Case number
3 n Evidence number
4 e Examiner name
5 t Notes
The model of the media, i.e. hard disk model

6 md
(Introduced in linen 6)
The serial number of media

7 sn
The device label

8 l
(Introduced in linen 6.19)
9 av Version
Platform
acquire the media
13 p Password hash
Process identifier
14 pid The identifier of the process memory acquired
(Introduced in linen 6.19 or earlier)

Value in 4th line
number 3rd line
Unknown
15 dc
Extents
16 ext The extents of the process memory acquired
As of linen 6.19 the acquire date and time is in UTC and the system date
Note
and time is in local time. Where as before both values were in local time.
Sources category
Line 6 the srce category contains information about acquisition sources
TODO describe what a source is in the context of EnCase.

Meaning
number line
1 p
2 n
Identifier
3 id
Evidence number
4 ev
Contains a string
Total bytes
5 tb
Contains an integer


Meaning
number line
Logical offset
6 lo Contains an integer which is -1 when value
is not set
Physical offset
7 po Contains an integer which is -1 when value
is not set
Unknown (MD5?)
8 ah
Contains a string
Unknown (SHA1?)
9 sh Contains a string
Device GUID
10 gu Contains a string with a GUID or "0" if not
set

11 aq
The default values of some of these values has changed around linen 6.19
Note
or earlier.
Subjects category
Line 12 the sub category contains information about subjects.


Meaning
number line
1 p
2 n
Identifier
3 id Contains an integer identifying the
subject
6 gu Unknown (GUID)
[NOTE] The default values of some of these values has changed around linen 6.19 or
earlier.
3.4.7. FTK Imager (EWF-E01)
In FTK Imager (EWF-E01) the same header section defined twice.
segment files.
The header data itself is compressed using zlib. Note that the compression level
can be none and therefore the header looks uncompressed.
In FTK Imager the end of line character(s) is a newline (0x0a).
Value in 4th line
number 3rd line
1 c Case number

Value in 4th line
number 3rd line
2 n Evidence number
4 e Examiner name
5 t Notes
Version
6 av The FTK Imager version used to acquire the
media
Platform
acquire the media
10 p Password hash
11 r char
The EnCase 4 to 7 (EWF-E01) header section specification is also used for the EnCase 5
to 7 (EWF-L01) format, with the following aspects:
In EnCase 5 both the acquired and system date and time are set to 0.
In EnCase 6 and 7 both the acquired and system date and time are set to Jan 1,
1970 00:00:00 (the time is dependent on the local timezone and daylight savings)
3.4.9. Header values

Free form string

Unique
a Note that EnCase might not respond when this
description
value is large e.g. >= 1 MiB
Free form string

c Case number
Evidence Free form string

n
number EnCase limits this string to 3000 - 1 characters
Free form string

e Examiner name
Free form string

t Notes
Free form string

md Model
Free form string

sn Serial Number
l Device label Free form string
Free form string

av Version
Free form string

ov Platform
EnCase limits this string to 24 -1 characters

In EnCase:
String containing a date and time value
E.g. 2002 3 4 10 19 59", which represents March 4,
2002 10:19:59.
Acquisition date
m
and time
In linen:
E.g. "1142163845" which represents the date:
March 12 2006, 11:44:05
In EnCase:
String containing a date and time value
E.g. 2002 3 4 10 19 59", which represents March 4,
2002 10:19:59.
Systemdate and
u
time
In linen:
E.g. "1142163845" which represents the date:
March 12 2006, 11:44:05
String containing the password hash.

p Password hash If no password is set it should be simply the
character '0'.
Process String containing the process identifier (pid)

pid
identifier number
dc Unknown
extents contains:
ext Extents number of entries
entries that consist of: S <1> <2> <3>
Single character that represent the compression

r Compression
level
The restrictions were tested with Encase 7.02.01, older versions could have
Note
a restriction of 40 characters instead of 3000 characters.

Character value Meaning b
Best compression is used f Fastest compression is used
Notes
There should not be a tab, carriage return and newline characters within the text in the
4th line. Or is there a method to escape these characters? [ASR02] states that these
characters should not be used in the free form text. Need to confirm this, the
specification only speaks of a newline character.
Currently the password has no a additional value than allow an application check it. The
data itself is not protected using the password. The password hashing algorithm is
unknown. Need to find out. And does the algorithm differ per EnCase version? probably
not. The algorithm does not differ in EnCase 1 to 7. FTK Imager does not bother with a
password.
3.5. Volume section

The volume section is identified in the section data type field as "volume". Some
aspects of this section are:
Defined in the EWF format [ASR02] .

Found after the header section of the first segment file. Not found in other
segment files.
In the next paragraphs the various versions of the volume section are described.
3.5.1. EWF specification
The specification according to [ASR02] .
The additional volume section data is 94 bytes of size and consists of:
Reserved according to [ASR02]

0 4 Contains 0x01
Reserved for what?

The chunk count

4 4 Contains the number of chunks within the all segment
files.
The number of sectors per chunk

8 4
Contains 64 per default.
The number of bytes per sectors

12 4
Contains 512 per default
The sectors count, the number of sectors within all

16 4
segment files
Reserved
20 20 0x00
Reserved for what?
40 45 0x00 Padding
Signature (Reserved)
85 5
Contains the EWF file header signature
Checksum
90 4 Adler-32 of all the previous data within the additional
volume section data.
The chunk count is a 32-bit value this means it maximum of addressable chunks would
be: 4294967295 (= 2^32 - 1). For a chunk size of 32768 x 4294967295 = about 127 TiB.
The maximum segment file amount is 2^16 - 1 = 65535. This allows for an equal
number of storage if a segment file is filled to its maximum number of chunks.
However libewf is restricted at 14295 segment files, due to the extension naming
schema of the segment files.
The SMART format uses the EWF specification for this section.
In SMART the signature (reverse) value is the string "SMART" (0x53 0x4d 0x41 0x52
0x54) instead of the file header signature.
3.5.3. FTK Imager, EnCase 1 to 7 and linen 5 to 7 (EWF-E01)

The specification for FTK Imager, EnCase 1 to 7 and linen 5 to 7.
The additional volume section data is 1052 bytes of size and consists of:
Media type
0 1
See section: Media type
1 3 0x00 Unknown (empty values)
The chunk count

files.
The number of sectors per chunk (or block size)

8 4
EnCase 5 is the first version which allows this value to
be different than 64.
12 4 The number of bytes per sector
The sectors count

Contains the number of sectors within all segment files
16 8
This value probably has been changed in EnCase 6 from
a 32-bit value to a 64-bit value to support media >2TiB
The number of cylinders of the C:H:S value

24 4
Most of the time this value is empty (0x00)
The number of heads of the C:H:S value

28 4
The number of sectors of the C:H:S value

32 4
Media flags
36 1
See section: Media flags

40 4 PALM volume start sector
44 4 0x00 Unknown (padding/empty values)
SMART logs start sector

Contains an offset relative from the end of media
48 4
E.g. a value of 10 would refer to sector = number of
sectors - 10
Compression level
52 1 (Introduced in EnCase 5)
See section: Compression level
Unknown (empty values)

53 3 0x00
these values seem to be part of the compression type
The sector error granularity

56 4 Contains the error block size
(Introduced in EnCase 5)
Segment file set identifier

Contains a GUID/UUID generated on the acquiry system
64 16 probably used to uniquely identify a set of segment
files
80 963 Unknown (padding/empty values)
1043 5
Contains 0x00
Checksum
TODO a value that could be in the volume is the raid stripe size

Note EnCase requires for media that contains no partition table that the is
physical media flag is not set and vice versa. Other tools like FTK check the
actual storage media data.
The EWF-L01 format uses the EnCase 5 (EWF-E01) volume section specification.
However:
the volume type contains 0x0e
the number of chunks is 0
The number of bytes per sectors is some kind of block size value (4096), perhaps
the source file system block size
The sectors count, represents some other value because ( sector_size x

sector_amount != total_size ) the total size is in the ltree section
3.5.5. Media type
Value Identifier Description
0x00 A removable storage media device
0x01 A fixed storage media device
0x03 An optical disc (CD/DVD/BD)
0x0e Logical Evidence File (LEF or L01)
0x10 Physical Memory (RAM)
FTK imager versions, before version 2.9, set the storage media to fixed
Note (0x01). The exact version of FTK imager where this behavior changed is
unknown.
3.5.6. Media flags

Is an image file
0x01 in FTK Imager, EnCase 1 to 7 this bit is always set, when not
set EnCase seems to see the image file as a device
Is physical device or device type

0x02 0 ⇒ a non physical device (logical)
1 ⇒ a physical device
0x04 Fastbloc write blocker used
Tableau write blocker used

0x08
This was added in EnCase 6.13
If both the the Fastbloc and Tableau write blocker media flags are set
Note
EnCase only shows the Fastbloc.
3.5.7. Compression level
0x00 no compression
0x01 good compression
0x02 best compression
3.6. Disk section

The disk section is identified in the section data type field as "disk". Some aspects of
this section are:
Not defined in the EWF format [ASR02] .
Not found in SMART (EWF-S01).
According to [COH] the disk section is the same as the volume section. This was
confirmed with a disk section in an FTK Imager 2.3 (EWF-E01) image.
Note The disk section was found only in FTK Imager 2.3 when acquiring a
physical disk not a floppy. This requires additional research. Is the disk

section some old method to differentiate between a partition (volume)

image or a physical disk image?
3.7. Data section

The data section is identified in the section data type field as "data". Some aspects of
this section are:
It is not defined in the EWF format [ASR02] .
Found in EWF-E01 in EnCase 1 to 7 or linen 5 to 7 or FTK Imager, and EWF-L01 in

EnCase 5 to 7. Not found in SMART (EWF-S01).
For multiple segment files it does not reside in the first segment file. For a single
segment file it does.
Found after the last table2 section in a single segment file or for multiple segment
files at the start of the segment files, except for the first.
The data section has data it should should contain the same information as the
volume section.
3.7.1. FTK Imager, EnCase 1 to 7 and linen 5 to 7 (EWF-E01)
The additional data section data is 1052 bytes of size and consists of:
Media type
0 1
See section: Media type
The chunk count

files.
The block size (number of sectors per chunk)

8 4
EnCase 5 is the first version which allows this value to
be different than 64.
12 4 The number of bytes per sector

The sectors count

Contains the number of sectors within all segment files
16 8
This value probably has been changed in EnCase 6 from
a 32-bit value to a 64-bit value to support media >2TiB
The number of cylinders of the C:H:S value

24 4
The number of heads of the C:H:S value

28 4
The number of sectors of the C:H:S value

32 4
Media flags
36 1
See section: Media flags
40 4 PALM volume start sector
44 4 0x00 Unknown (padding/empty values)
SMART logs start sector

Contains an offset relative from the end of media
48 4
E.g. a value of 10 would refer to sector = number of
sectors - 10
Compression level
52 1 (Introduced in EnCase 5)
See section: Compression level
Unknown (empty values)

53 3 0x00
These values seem to be part of the compression type
The sector error granularity

56 4 Contains the error block size

Segment file set identifier

Contains a GUID/UUID generated on the acquiry system
64 16 probably used to uniquely identify a set of segment
files
80 963 Unknown (padding/empty values)
1043 5
Contains 0x00
Checksum
data section data.
In Logicube products (Talon (firmware predating April 2013) and Forensic

Note dossier (before version 3.3.3RC16)) the checksum is not calculated and set
to 0.
The EWF-L01 format uses the EnCase 5 (EWF-E01) data section specification. However:
the data type contains 0x0e
the number of chunks is 0
The number of bytes per sectors is some kind of block size value (4096), perhaps
the source file system block size
The sectors count, represents some other value because ( sector_size x

sector_amount != total_size ) the total size is in the ltree section
3.8. Sectors section

The sectors section is identified in the section data type field as "sectors". Some aspects

Found in EWF-E01 in EnCase 2 to 7, or linen 5 to 7 or FTK Imager, EWF-L01 in

EnCase 5 to 7. Not found in EnCase 1 (EWF-E01) or SMART (EWF-S01).
The first sectors section can be found after the volume section in the first segment
file or at the after the data section in other segment files. Successive sector data
sections are found after the sector table2 section.
The sectors section contains the actual chunks of media data.
The sectors section can contain multiple chunks.
The default size of a chunk is 32768 bytes of data (64 standard sectors, with a size
of 512 bytes per sector). It is possible in EnCase 5 and 6 and linen 5 and 6 to
change the number of sectors per block to 64, 128, 256, 1024, 2048, 4096, 8192,
16384 or 32768. In EnCase 7 and linen 7 this has been reduced to 64, 128, 256,
1024.
3.8.1. Data chunk
The first chunk is often located directly after the section descriptor, although the format
does not require this.
When the data is compressed and the compressed data (with checksum) is larger than
the uncompressed data (without the checksum) the data chunk is stored
uncompressed. The default size of a chunk is 32768 bytes of data (64 standard sectors).
An uncompressed data chunk is variable of size and consists of:
0 … Uncompressed chunk data
Checksum
… 4
Adler-32 of the chunk data
The compressed data chunk consist of zlib compressed data. The checksum of the
compressed data chunk is part the zlib compressed data format. See section:
Compression.
3.8.2. Optical disc images
For a MODE‑1 CD-ROM optical disc image EnCase only seems to support 2048 bytes
per sector (the data).
The raw sector size of a MODE-1 CD-ROM is 2352 bytes of size and consists of:

0 16 Synchronization bytes
16 2048 Data
2054 4 Error detection
2058 8 Unknown (Empty values)
2066 276 Error correction
TODO add information about Mode-2 and Mode-XA
3.9. Table section

The table section is identified in the section data type field as "table". Some aspects of
this section are:

The offsets within the section descriptor are 8 bytes (64 bits) of size while
Note
the offsets in the table entry array are 4 bytes (32 bits) of size.
In the next paragraphs the various versions of the table section are described.
3.9.1. EWF specification
Some aspects of the table section according to the EWF specification are:
The first table section resides after the volume section in the first segment file or
after the file header in other segment files.
It can be found in every segment file.
The table section consists of:
the table header
an array of table entries
the data chunks

Table header
The table header is 24 bytes of size and consists of:
The number of entries

0 4
Note that according to [ASR02] it contains 0x01
4 16 0x00 Padding
Checksum
According to [ASR02] the table can hold 16375 entries if more entries are required an
additional table section should be created.
Table entry
The table entry is 4 bytes of size and consists of:
0 4 Chunk data offset
The most significant bit (MSB) in the chunk data offset indicates if the chunk is
compressed (1) or uncompressed (0).
A chunk data offset points to the start of the chunk of media data, which resides in the
same table section within the segment file. The offset contains a value relative to the
start of the file.
Data chunk
The first chunk is often located directly after the last table entry, although the format
does not require this.
A data chunk is always compressed even when no compression is required. This

approach provides a checksum for each chunk. The default size of a chunk is 32768
bytes of data (64 standard sectors). The resulting size of the "compressed" chunk can
therefore be larger than the default chunk size. This however was deducted from the
behavior of FTK Imager for EWF-S01.

Compression.
The table section in the SMART (EWF-S01) format is equivalent to that of the EWF
specification.
The table section resides after the volume section in the first segment file or after
the file header in other segment files.
the table header
the table footer
the data chunks
Table header
The table header is 24 bytes of size and consists of:
0 4 The number of entries
4 16 0x00 Padding
Checksum
The table can hold 16375 entries if more entries are required an additional table section
should be created.
Table entry

same table section within the segment file. The offset contains a value relative to the
start of the file.
Table footer
The table footer is 4 bytes of size and consists of:
Checksum
0 4
Adler-32 of the offset array
Data chunk
The first chunk is often located directly after the table footer, although the format does
not require this.
When the data is compressed and the compressed data (with checksum) is larger than
the uncompressed data (without the checksum) the data chunk is stored
uncompressed. The default size of a chunk is 32768 bytes of data (64 standard sectors).
An uncompressed data chunk is variable of size and consists of:
0 … Uncompressed chunk data
Checksum
… 4
Compression
3.9.4. FTK Imager and EnCase 2 to 5 and linen 5 (EWF-E01)

The table section resides after the sectors section.
The data chunks are no longer stored in this section but in the sectors section
instead.
The table2 section contains a mirror copy of the table section. In EWF-E01 it is
always present.
the table header
the table footer
Table header
The sector table header is 24 bytes of size and consists of:
4 16 0x00 Padding
Checksum
The table section can hold 16375 entries. A new table section should be created to hold
more entries. Both FTK Imager and EnCase 5 can handle more than 16375, FTK 1
cannot. To contain more than 16375 chunks new sectors, table and table2 sections need
to be created after the table2 section.
Table entry

preceding sectors section within the segment file. The offset contains a value relative to
the start of the file.
Table footer
Checksum
0 4
3.9.5. EnCase 6 to 7 and linen 6 to 7 (EWF-E01)
Every segment file contains its own table section.
It resides after the sectors section.
The data chunks are no longer stored in this section but in the sectors section
instead.
The table2 section contains a mirror copy of the table section. In EWF-E01 it is
always present.
the table header
the table footer
Table header
The sector table header is 24 bytes of size and consists of:
4 4 0x00 Padding

8 8 The table base offset
16 4 0x00 Padding
Checksum
As of EnCase 6 the number of entries is no longer restricted to 16375 entries. The new
limit seems to be 65534.
Table entry
preceding sectors section within the segment file. The offset contains a value relative to
the start of the file.
In EnCase 6.7.1 the sectors section can be larger than 2048Mb. The table entries offsets
are 31 bit values in EnCase6 the offset in a table entry value will actually use the full 32
bit if the 2048Mb has been exceeded. This behavior is no longer present in EnCase 6.8
so it is assumed to be a bug. Libewf currently assumes that the if the 31 bit value
overflows the following chunks are uncompressed. This allows EnCase 6.7.1 faulty EWF
files to be converted by libewf.
Table footer
Checksum
0 4

The EWF-L01 format uses the EnCase 6 to 7 (EWF-E01) table section specification.
3.10. Table2 section

The table2 section is identified in the section data type field as "table2". Some aspects
Found in EWF-E01 in EnCase 2 to 7, or linen 5 to 7 or FTK Imager, EWF-L01 in

EnCase 5 to 7. Not found in EnCase 1 (EWF-E01) or SMART (EWF-S01).
Uses the same format as the table section.
Resides directly after the table section.
3.10.1. FTK Imager and EnCase 2 to 7 and linen 5 to 7 (EWF-E01)
The table2 section contains a mirror copy of the table section. Probably intended for
recovery purposes.
3.10.2. EnCase 5 to 7 (EWF-L01)
The EWF-L01 format uses the EWF-E01 table2 section specification.
3.11. Next section

The next section is identified in the section data type field as "next". Some aspects of
this section are:

The last section within a segment other than the last segment file.
The offset to the next section in the section descriptor of the next section point to
itself (the start of the next section).
It should be the last section in a segment file, other than the last segment file.
3.11.1. SMART (EWF-S01)
It resides after the table or table2 section.
3.11.2. FTK Imager, EnCase and linen (EWF-E01)

It resides after the data section in a single segment file or for multiple segment files
after the table2 section.
In the EnCase (EWF-E01) format the size in the section descriptor is 0 instead of 76 (the
size of the section descriptor).
FTK imager versions before 2.9 sets the section size to 76. At the moment
Note
it is unknown in which version this behavior was changed.
3.12. Ltypes section

The ltypes section is identifier in the section data type field as "ltypes". Some aspects of
this section are:
Found in EWF-L01 in of EnCase 7
Found in the last segment file after table2 section before tree section.
The additional ltypes section data is 6 bytes of size and consists of:
0 2 Unknown
2 2 Unknown
4 2 Unknown
3.13. Ltree section

The ltree section is identifier in the section data type field as "ltree". Some aspects of
this section are:
Found in EWF-L01 in of EnCase 5 to 7
Found in the last segment file after ltypes section and before data section.
The ltree section consists of:
ltree header
ltree data
3.13.1. Ltree header
The ltree header is 6 bytes of size and consists of:

Integrity hash
0 16
Contains the MD5 of the ltree data
16 8 Data size
Checksum
24 4 Adler-32 of all the data within the ltree header where
the checksum value itself is zeroed out.
28 20 Unknown (empty values)
3.13.2. Ltree data
The ltree data string consists of an UTF-16 little-endian encoded string without the
UTF-16 endian byte order mark.
The ltree data string contains the following information:
Information about unknown

2 rec
See section: Records category
… (an empty line)
Information about file permissions

… perm
See section: Permissions category
… (an empty line)
Information about acquisition sources

… srce
… (an empty line)
Information about unknown

…22 sub

… (an empty line)
Information about file entries

… entry
See section: File entries category
… (an empty line)
3.13.3. Records category
The rec category contains information about records.
The 1st line of the category contains the string "rec".
The 2nd line of the category contains tab (0x09) separated type indicators.
Identifier Type
Description
number indicator
Total bytes
1 tb Contains an integer with size of the logical file data
(media data)
2 cl Unknown (Clusters?)
Unknown
3 n
Unknown
4 fp
Unknown
5 pg
Unknown
6 lg
Unknown
7 ig

The 3rd line of the category consist of the tab (0x09) separated values.
3.13.4. Permissions category
The perm category contains information about file permissions.
The 1st line of the category contains the string "perm".
The 2nd line consists of the following 2 values:
Value number Value Description
1 The number of permission groups in the category
2 1 Unknown
The 3rd line of the category contains tab (0x09) separated type indicators. For more
information see the sections below.
The remaining lines in the category consist of:
category root entry
zero or more permissions group entries
zero or more permission entries
Each entry consist of 2 lines:
Line
Value Description
number
1 Number of entries
Tab (0x09) separated values that correspond to the type

2
indicators.
The 1st line of the category root entry consists of the following 2 values:
1 0 Unknown
2 The number of permission groups in the category

The 1st line of the permission group entry consists of the following 2 values:
1 0 Unknown
2 The number of permissions in the group
The 1st line of the permission entry consists of the following 2 values:
1 0 Unknown
2 0 Unknown
Permission type indicators
Identifier Type
Description
number indicator
Is parent
1 p 1 ⇒ if the entry is a category root or permissions group
0 ⇒ if the entry is a permission
Name
2 n
Contains a string
Security identifier
Contains a string with either a Windows NT security
3 s
identifier (SID) or a POSIX user (uid) or group identifier
(gid) in the format " number:" such as " 99:"
Property type
4 pr
See section: Permission types
5 nta Access mask

Identifier Type
Description
number indicator
Unknown (Windows NT access control entry (ACE)

flags?)
Contains an integer with a Windows NT access control
6 nti
entry (ACE) flags
Seen 0x10, which presubly corresponds with
INHERITED_ACE?
Unknown (Permission?)
7 nts
(Removed in EnCase 6)
Permission types
(empty) Owner or category root
1 Group
2 Allow
6 Other
10 Unknown (permissions group?)
Access mask
Access mask seen in combination with property types 0, 1 and 6
0x00000001 [Lst Fldr/Rd Data] List folder / Read data
0x00000002 [Crt Fl/W Data] Create file / Write data

0x00000020 [Trav Fldr/X Fl] Traverse folder / Execute file
Access mask seen in combination with property type 2
[0x001200a9] [R&X] [R] [Sync]

[0x001301bf] [M] [R&X] [R] [W] [Sync]
[0x001f01ff] [FC] [M] [R&X] [R] [W] [Sync]
0x00000001
0x00000002
0x00000004
0x00000008
0x00000010
0x00000020
0x00000040
0x00000080
0x00000100
0x00010000
0x00020000
0x00040000
0x00080000

0x00100000
3.13.5. Sources category
The srce category contains information about acquisition sources of the file entries.
TODO describe what an acquisition source is in the context of EnCase.
The 1st line of the category contains the string "srce".
The 2nd line consists of 2 values.
Value index Value Description
1 The number of sources in the category
2 1 Unknown
category root
zero or more source entries
Line
Value Description
number
1 Number of entries

2
indicators.
1 0 Unknown

2 The number of sources in the category
The 1st line of the source entry consists of the following 2 values:
1 0 Unknown
2 0 Unknown
Source type indicators
Identifier Type
Description
number indicator
1 p
2 n
Identifier
3 id
Evidence number
4 ev
Contains a string
Domain
5 do Contains a string
Location
6 loc Contains a string
Serial number
7 se Contains a string

Identifier Type
Description
number indicator
Manufacturer
8 mfr Contains a string
Model
9 mo Contains a string
Total bytes
10 tb
Contains an integer
Logical offset
11 lo Contains an integer which is -1 when value is
not set
Physical offset
12 po Contains an integer which is -1 when value is
not set
MD5 hash
13 ah Contains a string with the MD5 hash of the
source
SHA1 hash
Contains a string with the SHA1 hash of the
14 sh
source
Device GUID
15 gu
Contains a string with a GUID or "0" if not set
Primary device GUID

16 pgu Contains a string with a GUID or "0" if not set

17 aq

Identifier Type
Description
number indicator
IP address
18 ip Contains a string
Unknown (Static IP address?)

19 si Contains 1 if static, empty otherwise
MAC address
20 ma Contains a string without separator characters
Drive type
21 dt Contains a character
The acquisition date and time is in the form of: "1142163845", which is a POSIX epoch
timestamp and represents the date: March 12 2006, 11:44:05.

If the "ma" value contains "000000000000" this means the MAC address is not set.
Drive type
Character value Meaning f
3.13.6. Subjects category
The sub category contains information about TODO
The 1st line of the category contains the string "sub".

1 The number of subjects in the category
2 1 Unknown
category root
zero or more subject entries
Line
Value Description
number
1 Number of entries

2
indicators.
1 0 Unknown
2 The number of subject in the category
The 1st line of the subject entry consists of the following 2 values:
1 0 Unknown
2 0 Unknown
Subject type indicators

Identifier number Type indicator Description
1 p
2 n
Identifier
3 id
Contains an integer identifying the subject
6 gu Unknown (GUID)
3.13.7. File entries category
The entry category contains information about the file entries.
The 1st line of the category contains the string "entry".
1 The number of file entries in the category or 1 if unknown
2 1 Unknown
category root
zero or more file entries
zero or more sub file entries

Line
Value Description
number
1 Number of entries

2
indicators.
1 0 if not set or 26 if Unknown
2 The number of file entries in the category
The 1st line of the file entry consists of the following 2 values:
Value
Value Description
number
Number of file entries in the parent file entry or 0 if not

1
set
2 The number of sub file entries in the file entry
EnCase 5 and 6 (EWF-L01) file entry type indicators
Character
Identifier
in 29th Meaning
number
line
Is parent
1 p 1 ⇒ if the entry is a directory
(empty) ⇒ if the entry is a file
2 n Name
Identifier
3 id
Contains an integer identifying the file entry

Character
Identifier
in 29th Meaning
number
line
Flags
4 opr
See section: File entry flags
Source identifier
5 src Contains an integer that corresponds to an identifier in
the Sources category
Subject identifier
6 sub Contains an integer that corresponds to an identifier in
the Subjects category
7 cid Unknown (record type)
8 jq Unknown
9 cr Creation date and time
Access date and time

10 ac
(precision is date only)
11 wr (File) modification (last written) date and time
12 mo (File system) entry modification date and time
13 dl Deletion date and time

14 aq
MD5 hash
15 ha
Contains a string with the MD5 hash of the file data
File size
16 ls The file size specified in bytes
If the file size is 0 the data size should be 1

Character
Identifier
in 29th Meaning
number
line
Duplicate data offset

17 du
Relative from the start of the media data
Logical offset
18 lo
Contains an integer which is -1 when value is not set
Physical offset
19 po
The segment file in which the start of the data is
stored, -1 for a single segment file ?
GUID
20 mid Contains a string with a GUID
Unknown
21 cfi
Binary extents
22 be
See section: Binary extents value
Permissions group index

Contains an integer that corresponds to an identifier in
23 pm
the Permissions category or -1 if not set
The value is 0 by default
Unknown
24 lpt
The creation, access and last written date and time are in the form of: "1142163845",
which is a POSIX epoch timestamp and represents the date: March 12 2006, 11:44:05.
The "ha" value (Hash) consist of a MD5 hash string when file entries are hashed. If the
"ha" value contains "00000000000000000000000000000000" this means the MD5 hash
is not set.
Ltree file entries

The ltree entries of files and directories consist of entries starting with: 0 followed by
the number of sub file entries.
The entries of files and directories:
1 (empty) The root directory
2 The target drive/mount point
3 The actual single file entries
EnCase 7 (EWF-L01) file entry type indicators
Character
Identifier
in 29th Meaning
number
line
GUID
1 mid
Contains a string with a GUID
File size
2 ls The file size specified in bytes
If the file size is 0 the data size should be 1
Binary extents
3 be
See section: Binary extents value
Identifier
4 id
Contains an integer identifying the file entry
5 cr Creation date and time
6 ac Access date and time
7 wr (File) modification (last written) date and time
8 mo (File system) entry modification date and time
9 dl Deletion date and time

Character
Identifier
in 29th Meaning
number
line
Unknown
10 sig
MD5 hash
11 ha
Contains a string with the MD5 hash of the file data
SHA1 hash
Judging by the size this value is assumed to be the SHA1
12 sha hash of the file data, does not seem to be currently set
by EnCase
Unknown
13 ent Seen: 'B'
(Introduced in EnCase 7.9)
Short (or DOS 8.3) name

14 snh See section: Short name
Is parent
15 p 1 ⇒ if the entry is a directory
(empty) ⇒ if the entry is a file
16 n Name
Duplicate data offset

17 du
Relative from the start of the media data
Logical offset
18 lo
Physical offset
19 po
The segment file in which the start of the data is
stored, -1 for a single segment file ?

Character
Identifier
in 29th Meaning
number
line
Permissions group index

Contains an integer that corresponds to an identifier in
20 pm
the Permissions category or -1 if not set
The value is 0 by default
Unknown (Original extents)

21 oes
Flags
22 opr
See section: File entry flags
Source identifier
23 src Contains an integer that corresponds to an identifier in
the Sources category
Subject identifier
24 sub Contains an integer that corresponds to an identifier in
the Subjects category
25 cid Unknown (record type)
26 jq Unknown
Unknown
27 alt
Unknown
28 ep

29 aq
30 cfi Unknown
Unknown
31 sg

Character
Identifier
in 29th Meaning
number
line
Extended attributes
32 ea See section: Extended attributes value
33 lpt Unknown

Short name
The short name ("snh") value contains 2 values:
Value
Value Description
number
The number of characters in the short name including the

1
end-of-string character
2 The short name string
For example: "13 FILE10~1.TXT"
Original extents
TODO: add some text
1 30a555b 30a6000 12011ae00 9008d7 3f 43 1 12011ae00 30a6000 120113 30a6 9008d7 1
Ltree file entries
The ltree entries of files and directories consist of entries starting with: 26 followed by
the number of sub file entries.
The entries of files and directories:

1 LogicalEntries The root directory
2 The target drive/mount point
3 The actual single file entries
File entry flags
0x00000008 Archive
0x00400000 Unknown (is file?)
0x01000000 Unknown
0x02000000 Unknown
Data is sparse
0x04000000
See remarks below.
If the sparse data flag is set:
the data size should be 1 and data should consist of a single byte value.
the data size should be equal to the file size and data should be the same.
If the duplicate data offset value is not set the single byte value in the data should be
used to reconstruct the file data. E.g. if the file size is 4096 and the data contains the
byte value 0x00 the resulting file should consists of 4096 x 0x00 byte values.
If the duplicate data offset value is set the single byte in the data is ignored and the
duplicate data offset refers to the location where the data stored.
Binary extents value
The binary extents value contains 3 values separated by a space:
Unknown Offset Size

Where:
unknown always is 1 (could this be the number of extents?)
extent data offset, relative from the start of the media data
extent data size
The offset and size are specified in hexadecimal values.
Note: Contains 1 value for the first single file entry.
Extended attributes value
The extended attributes value contains base-16 encoded data, which consists of:
Extended attributes header (stored as an extended attribute)
One or more extended attributes
Extended attributes header
The extended attributes header is 37 bytes of size and consists of:
0 4 0 Unknown (0 ⇒ root, 1 ⇒ otherwise)
Unknown (0 ⇒ is leaf node, 1 ⇒ is branch

4 1 1
node?)
Number of characters in name string including

5 4 11
the end-of-string character
Number of characters in value string including

9 4 1
the end-of-string character
Name string
13 22 "Attributes\0" Contains an UTF-16 little-endian encoded string
including end-of-string character
Value string
35 2 "\0" Contains an UTF-16 little-endian encoded string
Extended attribute
An extended attributes is variable of size and consists of:
0 4 Unknown (0 ⇒ root, 1 ⇒ otherwise)
4 1 Unknown (0 ⇒ is leaf node, 1 ⇒ is branch node?)
Number of characters in name string including the end-

5 4
of-string character
Number of characters in value string including the end-

9 4
of-string character
Name string
13 … Contains an UTF-16 little-endian encoded string
Value string
… … Contains an UTF-16 little-endian encoded string
TODO: complete section
Branch nodes are presuably used to group attributes, however these are
Note
not used consistently and are not shown by Encase 7.
3.14. Map section

Found in EWF-L01 in of EnCase 7 (First seen in EnCase 7.4.1.10)
Found in the last segment file after data section before done section.
The map consists of:
map string
map entries array
3.14.1. Map string

The map string consists of an UTF-16 little-endian encoded string without the UTF-16
endian byte order mark.
The map string contains the following information:
2 r Probably the type of information provided
3 c Identifier for the values in the 4th line
5 (an empty line)
Map string values
Identifier number Character in 29th line Meaning
1 C Number of map entries (count)
The number of map entries should match the number of file entries in the ltree.
3.14.2. Map entry
A map entry is 24 bytes of size and consists of:
0 4 Unknown
4 4 Unknown (empty values or part of previous value)
8 16 Unknown
3.15. Session section

The session section is identifier in the section data type field as "session". Some aspects

It is not found in SMART (EWF-S01) and FTK Imager (EWF-E01).
It is found in EnCase 5 and 6 (EWF-E01) files.
It is only added to the last segment file for images of optical disc (CD/DVD/BD)
media.
It is found after the data section and before the error2 section.
The session section data consists of:
The session header
The session entries array
The session footer
3.15.1. Session header
The session header is 36 byte of size and consists of:
0 4 Number of sessions
Checksum
session section data.
3.15.2. Session entry
A session entry is 32 byte of size and consists of:
0 4 Flags
4 4 Start sector
EnCase stores audio tracks as 0 byte data with a sector size of 2048.

Note For a CD the first session sector is stored as 16, although the actual session
starts at sector 0. Could this value be overloaded to indicate the size of the
reserved space between the start of the session and the ISO 9660 volume
descriptor.
3.15.3. Session flags
If set the track is an audio track otherwise the track is

0x00000001
a data track
3.15.4. Session footer
The session footer is 4 byte of size and consists of:
Checksum
0 4
Adler-32 of all the data within the session entries array
3.16. Error2 section

The error2 section is identifier in the section data type field as "error2". Some aspects of
this section are:
It is not found in SMART (EWF-S01).
It is found in, EnCase 3 to 7 and linen 5 to 7 (EWF-E01) files.
It is only added to the last segment file when errors were encountered while
reading the input.
TODO check FTK Imager, EnCase 1 and 2 for presence of the error2 section.
It contains the sectors that have read errors. The sector where a read error occurred are
filled with zero’s during acquiry by EnCase.
The error2 section data consists of:
The error2 header
The error2 entries array

The error2 footer
3.16.1. Error2 header
The error2 header is 520 byte of size and consists of:
0 4 Number of entries
Checksum
516 4 Adler-32 of all the previous data within the error2
header data.
3.16.2. Error2 entry
An error2 entry is 8 byte of size and consists of:
0 4 Start sector
4 4 The number of sectors
3.16.3. Error2 footer
The error2 footer is 4 byte of size and consists of:
Checksum
0 4
Adler-32 of all the data within the error2 entries array
3.17. Digest section

The digest section is identified in the section data type field as "digest". Some aspects
It is found in EnCase 6 to 7 files, as of EnCase 6.12 and linen 6.12 (EWF-E01).
The digest section contains a MD5 and/or SHA1 hash of the data within the chunks.

The additional digest section data is 80 byte of size and consists of:
0 16 MD5 hash of the media data
16 20 SHA1 hash of the media data
36 40 0x00 Padding
Checksum
digest section data.
3.18. Hash section

The hash section is identified in the section data type field as "hash". Some aspects of
this section are:
It is found in SMART (EWF-S01) and FTK Imager, EnCase 1 to 7 and linen 5 to 7

(EWF-E01) files.
It is not found in EnCase 5 (EWF-L01).
The hash section is optional, it does not need to be present. If it does it resides in
the last segment file before the done section.
The hash section contains a MD5 hash of the data within the chunks.
The additional digest section data is 36 byte of size and consists of:
0 16 MD5 hash of the media data
16 16 Unknown
Checksum
hash section data.
3.18.1. Notes
Observations regarding the unknown value:
is zero in SMART
is zero in EnCase 3 and below
in EnCase 4 the first 4 bytes are 0, the next 8 bytes seem random, the last 4 bytes
seem fixed
in EnCase 5 and 6 the first 8 bytes seem random, the last 8 bytes equal the file
header signature
in linen 5 the first and last set of 4 bytes seem the same, the second set of 4 bytes
seem to be random, the third set of 4 bytes seem to contain a piece of the file
header signature
in linen 6 the first and third set of 4 bytes seem random, the second and last set of
4 bytes seem to be the same
EnCase5 seems to contain a GUID of the acquired device?
Test with EnCase 4 show that:
The value does not equal the checksum of the media data
Does not differentiate for the same media acquired within the same program
session, using different formats, but differ for different media and different
program sessions
3.19. Done section

The done section is identified in the section data type field as "done". Some aspects of
this section are:
It is found in SMART (EWF-S01), FTK Imager, EnCase 1 to 7 and linen 5 to 7 (EWF-

E01) and EnCase 5 (EWF-L01) files.
The done section is the last section within the last segment file.
The offset to the next section in the section descriptor of the done section point to
itself (the start of the done section).
It should be the last section in the last segment file.
3.19.1. SMART (EWF-S01)
It resides after the table or table2 section.

3.19.2. FTK Imager, EnCase and linen (EWF-E01)
It resides after the data section in a single segment file or for multiple segment files
after the table2 section.
In the EnCase (EWF-E01) format the size in the section descriptor is 0 instead of 76 (the
size of the section descriptor).
FTK imager versions before 2.9 sets the section size to 76. At the moment
Note
it is unknown in which version this behavior was changed.
3.19.3. Incomplete section
The incomplete section is identified in the section data type field as "incomplete".
This section is seen rarely. It was seen in an EnCase 6.13 (EWF-E01) file as the last last
section within the last segment file. The incomplete section was preceded by a hash
and digest section, although later in the set of EWF files another hash and digest
section were defined.
It is currently assumed that the incomplete section indicates an incomplete image

created using remote imaging. The incomplete section contains data but currently there
is no indication what purpose the data has.
4. EWF-X
EWF-X (extended) is an experimental format to enhance the EWF format. EWF-X is
based on the EWF-E01 format. EWF-X does not limit the table entries to 16375. EWF-X
is not the same as version 2 of EWF.
TODO add note about the table entry limit.
4.1. Sections
Additional sections provided in the EWF-X format are:
xheader
xhash
4.1.1. Xheader
The xheader section contains a zlib compressed data (see section: 3 Compression)
containing XML data containing the header values.

<?xml version="1.0" encoding="UTF-8"?>

<xheader>
<case_number>1</case_number>
<description>Description</description>
<examiner_name>John D.</examiner_name>
<evidence_number>1.1</evidence_number>
<notes>Just a floppy in my system</notes>
<acquiry_operating_system>Linux</acquiry_operating_system>
<acquiry_date>Sat Jan 20 18:32:08 2007 CET</acquiry_date>
<acquiry_software>ewfacquire</acquiry_software>
<acquiry_software_version>20070120</acquiry_software_version>
</xheader>
4.1.2. Xhash
The xhash section contains a zlib compressed data (see section: Compression)
containing XML data containing the hash values.
<?xml version="1.0" encoding="UTF-8"?>

<xhash>
<md5>ae1ce8f5ac079d3ee93f97fe3792bda3</md5>
<sha1>31a58f090460b92220d724b28eeb2838a1df6184</sha1>
</xhash>
4.2. GUID
EWF-X uses a random based version of the GUID
5. Compression
5.1. Zlib compressed data

The compressed data is stored in the the zlib compressed data format (RFC1950). This
format uses big-endian.
The compressed data is variable of size and consists of:
0.0 4 bits Compression method
0.4 4 bits Compression information
1.0 5 bits Check bits

1.5 1 bit Preset dictionary flag
1.6 2 bits Compression level
If the preset dictionary flag is set
Preset dictionary identifier

2 4
Adler-32 used to identifier the preset dictionary
Common
… … Compressed chunk data
Checksum
… 4
The check bits value must be such that when the first 2 bytes are represented as a 16-
bit unsigned integer in big-endian byte order the value is a multiple of 31.
5.1.1. Compression method
8 Deflate (RFC1951)
15 Reserved
[RFC1950] only defines 8 as a valid compression method.
5.1.2. Compression information - compression method 8 (Deflate)
For compression method 8 (Deflate) the compression information contains the base-2
logarithm of the LZ77 window size minus 8.
To determine the corresponding window size:
1 << ( 7 + 8 )

E.g. A compression information value of 7 indicates a 32768 bytes window size. Values
larger than 7 are not allowed according to [RFC1950] and thus the maximum windows
size is 32768 bytes.
5.1.3. Compression level
0 Fastest
1 Fast
2 Default
3 Slowest, maximum compression
5.2. Deflate compression

The deflate compressed data consists of one or more deflate compressed blocks. Each
block consists of:
block header
block data
5.2.1. Deflate compressed block header
The deflate compressed block header is 3 bits in size and consists of:
Last block (in stream) marker:

0 1 bit 0 ⇒ not last block
1 ⇒ last block
0.1 2 bits Block type
5.2.2. Deflate compressed block types
0 uncompressed data

1 static Huffman compressed data
2 dynamic Huffman compressed data
3 reserved (not used)
5.2.3. Uncompressed block data
5
0.3 Empty values (not used)
bits
1 2 Uncompressed data size
Copy of uncompressed data size

3 2 Contains a 1s complement of the uncompressed data
size
5 … Uncompressed data
The uncompressed data size can range between 0 and 65535 bytes.
5.2.4. Huffman compressed block data
TODO add description
Compressed data blocks consists of 3 types of symbols:
literal byte values
end-of-block marker
(size, offset) tuples
These symbols are merged in a single "alphabet" where:
0x00 - 0xff literal byte values

0x100 end-of-block marker
0 additional bits
0x101 Size of 3
0x102 Size of 4
0x103 Size of 5
0x104 Size of 6
0x105 Size of 7
0x106 Size of 8
0x107 Size of 9
0x108 Size of 10
1 additional bit
0x109 Size of [11, 12]
0x10a Size of [13, 14]
0x10b Size of [15, 16]
0x10c Size of [17, 18]
2 additional bits
0x10d Size of [19, 22]
0x10e Size of [23, 26]
0x10f Size of [27, 30]

0x110 Size of [31, 34]
3 additional bits
0x111 Size of [35, 42]
0x112 Size of [43, 50]
0x113 Size of [51, 58]
0x114 Size of [59, 66]
4 additional bits
0x115 Size of [67, 82]
0x116 Size of [83, 98]
0x117 Size of [99, 114]
0x118 Size of [115, 130]
5 additional bits
0x119 Size of [131, 162]
0x11a Size of [163, 194]
0x11b Size of [195, 226]
0x11c Size of [227, 257]
0 additional bits
0x11d Size of 258

The additional bits are stored in big-endian (MSB first) and indicate the index into the
corresponding array of size values (or base size + additional size).
0 additional bits
0 Offset of 1
1 Offset of 2
2 Offset of 3
3 Offset of 4
1 additional bit
TODO merge with table
Extra Extra Extra

Code Bits Dist Code Bits Dist Code Bits Distance
---- ---- ---- ---- ---- ------ ---- ---- --------
4 1 5,6 14 6 129-192 24 11 4097-6144
5 1 7,8 15 6 193-256 25 11 6145-8192
6 2 9-12 16 7 257-384 26 12 8193-12288
7 2 13-16 17 7 385-512 27 12 12289-16384
8 3 17-24 18 8 513-768 28 13 16385-24576
9 3 25-32 19 8 769-1024 29 13 24577-32768
10 4 33-48 20 9 1025-1536
11 4 49-64 21 9 1537-2048
12 5 65-96 22 10 2049-3072
13 5 97-128 23 10 3073-4096
5.2.5. Dynamic Huffman compressed block data
0.3 Code size
Distance code
TODO merge with table

5 Bits: HLIT, # of Literal/Length codes - 257 (257 - 286)

5 Bits: HDIST, # of Distance codes - 1 (1 - 32)
4 Bits: HCLEN, # of Code Length codes - 4 (4 - 19)
(HCLEN + 4) x 3 bits: code lengths for the code length
alphabet given just above, in the order: 16, 17, 18,
0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15
These code lengths are interpreted as 3-bit integers

(0-7); as above, a code length of 0 means the
corresponding symbol (literal/length or distance code
length) is not used.
HLIT + 257 code lengths for the literal/length alphabet,

encoded using the code length Huffman code
HDIST + 1 code lengths for the distance alphabet,

encoded using the code length Huffman code
The actual compressed data of the block,

encoded using the literal/length and distance Huffman
codes
The literal/length symbol 256 (end of data),

encoded using the literal/length Huffman code
The code length repeat codes can cross from HLIT + 257 to the
HDIST + 1 code lengths. In other words, all code lengths form
a single sequence of HLIT + HDIST + 258 values.
The code size is encoded in the following Huffman encoding:
0-
Represent code size of 0 - 15
15
Copy the previous code size 3 - 6 times.

The next 2 bits indicate repeat length (0 = 3, … , 3 = 6)
16
Example: Codes 8, 16 (+2 bits 11), 16 (+2 bits 10) will expand
to 12 code lengths of 8 (1 + 6 + 5)
17 Repeat a code length of 0 for 3 - 10 times. (3 bits of length)
Repeat a code length of 0 for 11 - 138 times (7 bits of

18
length)

A code size of 0 indicates that the corresponding symbol in the literal/length or

distance alphabet will not occur in the block, and should not participate in the Huffman
code.
5.2.6. Decompression
do
{
read block_header from input stream
if( block_header.type == UNCOMPRESSED )

{
align with next byte
read block_header.size and block_header.size_copy
read data of block_header.size
}
else
{
if( block_header.type == HUFFMANN_DYNAMIC )
{
read representation of code trees (see subsection below)
}
loop (until end of block code recognized)
{
decode literal/length value from input stream
if( value < 256 )
{
copy value (literal byte) to output stream
}
else
{
if value = end of block (256)
{
break from loop
}
else (value = 257..285)
{
decode distance from input stream
move backwards distance bytes in the output

stream, and copy length bytes from this
position to the output stream.
}
}
}
}
}
while( block_header.last_block_flag == 0 );

5.3. Adler-32 checksum

The checksum algorithm provided by [ASR02] , slightly altered for readability. The
algorithm used is Alder-32 and [ASR02] incorrectly refers to it as a CRC.
uint32_t Expert_Witness_Compression_CRC(
uint8_t *buffer,
size_t buffer_size,
uint32_t previous_key )
{
size_t buffer_iterator = 0;
uint32_t lower_word = previous_key & 0xffff;
uint32_t upper_word = ( previous_key >> 16 ) & 0xffff;
for( buffer_iterator = 0;
buffer_iterator < buffer_size;
buffer_iterator++ )
{
lower_word += buffer[ buffer_iterator ];
upper_word += lower_word;
if( ( buffer_iterator != 0 )
&& ( ( buffer_iterator % 0x15b0 == 0 )
|| ( buffer_iterator == buffer_size - 1 ) ) )
{
lower_word = lower_word % 0xfff1;
upper_word = upper_word % 0xfff1;
}
}
return( ( upper_word << 16 ) | lower_word );
}
Zlib provides the function adler32 which is an optimized version of the algorithm.
6. Corruption scenarios
This chapter contains several corruption scenarios that have been encountered "in the
wild".
6.1. Corrupt uncompressed chunk

6.2. Corrupt compressed chunk

6.3. Corrupt section descriptor

libewf_section_start_read: reading section start from file IO pool entry: 1 at of

libewf_section_start_read: type : table2
libewf_section_start_read: next offset : 415978027
libewf_section_start_read: size : 65604
libewf_section_start_read: checksum : 0xf35f03e0
libewf_section_table_header_read: number of offsets : 16375
libewf_section_table_header_read: base offset : 0x00000000
libewf_section_table_header_read: checksum : 0x180d0137
libewf_section_start_read: reading section start from file IO pool entry: 1 at of

libewf_section_start_read: type : sectors
libewf_section_start_read: next offset : 415978027
libewf_section_start_read: size : 0
libewf_section_start_read: checksum : 0x1ad00464
6.4. Corrupt table section

with and with out table 2
number of entries
entry data
6.5. Corrupted segment file header

6.6. Partial segment file

6.7. Missing segment file(s)

6.8. Dual image: section size versus offset

The sections descriptors define both the next section offset and the size of the section.
If an implementation reads only one of the two to determine the next section, a dual
EWF image can be crafted that consists of two separate images including hashes.
A current version of libewf will mark such an image as corrupted, but older versions
only checked the section size and will show one of the two valid images.

6.9. Table entries offset overflow

In EnCase 6.7.1 the sectors section can be larger than 2048 MiB. The table entries
offsets are 31 bit values in EnCase6 the offset in a table entry value will actually use the
full 32 bit if the 2048 MiB has been exceeded. This behavior is no longer present in
EnCase 6.8 so it is assumed to be a bug.
Libewf currently assumes that the if the 31 bit value overflows the following chunks are
uncompressed. This allows EnCase 6.7.1 faulty EWF files to be converted by libewf.
6.10. Multiple incomplete segment file set identifiers

Although rare it can occur that a set of EWF image files changes its segment file set
identifier. This was seen in an image created by EnCase 6.13, presumably using remote
imaging. The image contained 3 different segment file set identifiers. The first changes
after an incomplete section. The second one changed without any clear indication. The
corresponding data section also changed in some extent e.g. compression method and
media flags, the is physical flag being dropped. The change was consistent across
multiple segment files. It is unlikely that deliberate manipulation is involved. EnCase
considers the image as invalid.
Although with some tweaking of libewf the individual segment file sets could be read.
In this case the data read from the segment file sets was heavily corrupted. For now a
stock libewf does not support reading multiple segment files sets from a single image,
but this might change in the future.
7. AD encryption
As of version 2.8 FTK Imager supports "AD encryption". Although the output file uses
the EWF extensions the file actually is a AES-256 encrypted container. The EWF can be
encrypted using a pass-phrase or a certificate.
The AccessData encryption format is a single-file encryption method often used to

encrypt AccessData and EnCase forensic images. The input file (which can be anything)
is encrypted with AES using a user-supplied password or public key and a header is
prepended onto the resulting ciphertext to allow for decryption with the same
password or corresponding private key.
The container consists of a header followed by the encrypted data. The header is
padded out to the nearest 512-byte boundary (typically it is just 512 bytes); all header
values are in little-endian order.
7.1. AD crypt header
The AD crypt header is 512 bytes in size and consists of:

0 8 "ADCRYPT\x00" File signature
8 4 0x01000000 Version
12 4 Header size (or offset of encrypted data)
Number of passwords
16 2
Contains -1 if not set
Number of raw keys

18 2
Number of certificates
20 2
22 2 Reserved (must be 0x0000)
Encryption algorithm: 1=AES-128, 2=AES-

24 4
192, 3=AES-256
28 4 Hash algorithm: 1=SHA-256, 2=SHA-512
32 4 PBKDF2 iteration count (I)
36 4 Salt length (S)
40 4 Key length (K)
44 4 HMAC length (H)
48 S Encrypted salt (ESALT)
48 + S K Encrypted key (EKEY)
48 + S
H HMAC of encrypted key (HMAC)
+K

The header is then padded with null bytes to the following 512-byte boundary, after
which follows the encrypted file.
Although the encryption protocol has some configurable settings, most (if not all) files
will use the defaults: AES-256 for encryption, SHA-512 for hashing, 4000 iterations of
PBKDF2.
7.2. Encryption
All AES encryption steps use AES in CTR mode with an IV of all null bytes and a simple
incrementing little-endian counter starting at 0.
The encryption protocol is as follows:
Generate a random encryption key FKEY of length K
Encrypt the target file with the specified AES version and key FKEY
Generate a random salt SALT
Generate a new encryption key PKEY from the user password hashed with the
specified hash algorithm (or the empty string, if there is no user password): PKEY =
PBKDF2(hash(user_pw) || '', SALT, I, K)
Encrypt FKEY using the specified AES version and key PKEY to generate EKEY
If the user supplied a public key, use it to encrypt SALT and generate ESALT,
otherwise ESALT = SALT
Compute an HMAC of the encrypted key EKEY with PKEY using the specified hash
algorithm
The decryption procedure is thus:
If using a private key, decrypt the encrypted salt ESALT to get the original SALT (if
no key, SALT = ESALT)
Regenerate the encryption key PKEY from the user password hashed with the
specified hash algorithm (or the empty string, if there is no user password): PKEY =
PBKDF2(hash(user_pw) || '', SALT, I, K)
Optionally verify the HMAC of EKEY using PKEY and the specified hash algorithm,
comparing it with the header HMAC
Decrypt the encrypted key using AES with PKEY to get FKEY
Decrypt the file ciphertext using AES with FKEY
7.3. Notes
TODO add description metadata (volume, data, headers)
8. Notes
What about:
PALM volume
the SMART logs
8.1. Header
All test headers consist of the where spaces are actually tabs separated values
srce
0 1
p n id ev tb lo po ah gu aq
0 0
-1 -1
sub
0 1
p n id nu co gu
0 0
1
8.2. Ltree
When p = 0 n contains a numeric value (the number of child entries of the following
entry) When p = 1 n contains the name of the directory. When p = is empty n contains
the name of the file.
Appendix A: References
[ASR02]
Title: AD Image Encryption
Version: 1.2
Date: May 17, 2010
Author(s) Access Data

Title: https://support.accessdata.com/hc/en-
AD Image Encryption
URL:
us/article_attachments/201953867/AD1___Image_Encryption_Technical_W
[ASR02]
Title: ASR Expert Witness Compression Format specification
Author(s) Andrew Rosen
URL: http://www.asrdata.com/SMART/whitepaper.html
[COH]
Title: PyFlag libevf source code
Author(s) Michael Cohen
URL: http://www.pyflag.net/
[FWIKI]
Title: Forensic Wiki
http://www.forensicswiki.org/index.php/Forensic_file_formats
URL:
http://www.forensicswiki.org/index.php/EnCase
[RFC1950]
Title: ZLIB Compressed Data Format Specification
Version: 3.3
Author(s): P. Deutsch, J-L. Gailly
Date: May 1996
URL: http://www.ietf.org/rfc/rfc1950.txt
[RFC1951]

Title: DEFLATE Compressed Data Format Specification
Version: 1.3
Author(s): P. Deutsch
Date: May 1996
[RFC4122]
Title: A Universally Unique Identifier (UUID) URN Namespace
Author(s): P. Leach, M. Mealling, R. Salz
Date: July 2005
Appendix B: GNU Free Documentation License

Version 1.3, 3 November 2008 Copyright © 2000, 2001, 2002, 2007, 2008 Free Software
Foundation, Inc. http://fsf.org/
Everyone is permitted to copy and distribute verbatim copies of this license document,
but changing it is not allowed.
0. PREAMBLE
The purpose of this License is to make a manual, textbook, or other functional and
useful document "free" in the sense of freedom: to assure everyone the effective
freedom to copy and redistribute it, with or without modifying it, either commercially or
noncommercially. Secondarily, this License preserves for the author and publisher a way
to get credit for their work, while not being considered responsible for modifications
made by others.
This License is a kind of "copyleft", which means that derivative works of the document
must themselves be free in the same sense. It complements the GNU General Public
License, which is a copyleft license designed for free software.

We have designed this License in order to use it for manuals for free software, because
free software needs free documentation: a free program should come with manuals
providing the same freedoms that the software does. But this License is not limited to
software manuals; it can be used for any textual work, regardless of subject matter or
whether it is published as a printed book. We recommend this License principally for
works whose purpose is instruction or reference.
1. APPLICABILITY AND DEFINITIONS

This License applies to any manual or other work, in any medium, that contains a notice
placed by the copyright holder saying it can be distributed under the terms of this
License. Such a notice grants a world-wide, royalty-free license, unlimited in duration,
to use that work under the conditions stated herein. The "Document", below, refers to
any such manual or work. Any member of the public is a licensee, and is addressed as
"you". You accept the license if you copy, modify or distribute the work in a way
requiring permission under copyright law.
A "Modified Version" of the Document means any work containing the Document or a
portion of it, either copied verbatim, or with modifications and/or translated into
another language.
A "Secondary Section" is a named appendix or a front-matter section of the Document

that deals exclusively with the relationship of the publishers or authors of the
Document to the Document’s overall subject (or to related matters) and contains
nothing that could fall directly within that overall subject. (Thus, if the Document is in
part a textbook of mathematics, a Secondary Section may not explain any
mathematics.) The relationship could be a matter of historical connection with the
subject or with related matters, or of legal, commercial, philosophical, ethical or political
position regarding them.
The "Invariant Sections" are certain Secondary Sections whose titles are designated, as
being those of Invariant Sections, in the notice that says that the Document is released
under this License. If a section does not fit the above definition of Secondary then it is
not allowed to be designated as Invariant. The Document may contain zero Invariant
Sections. If the Document does not identify any Invariant Sections then there are none.
The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts
or Back-Cover Texts, in the notice that says that the Document is released under this
License. A Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at
most 25 words.

A "Transparent" copy of the Document means a machine-readable copy, represented in

a format whose specification is available to the general public, that is suitable for
revising the document straightforwardly with generic text editors or (for images
composed of pixels) generic paint programs or (for drawings) some widely available
drawing editor, and that is suitable for input to text formatters or for automatic
translation to a variety of formats suitable for input to text formatters. A copy made in
an otherwise Transparent file format whose markup, or absence of markup, has been
arranged to thwart or discourage subsequent modification by readers is not
Transparent. An image format is not Transparent if used for any substantial amount of
text. A copy that is not "Transparent" is called "Opaque".
Examples of suitable formats for Transparent copies include plain ASCII without markup,
Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD,
and standard-conforming simple HTML, PostScript or PDF designed for human
modification. Examples of transparent image formats include PNG, XCF and JPG.
Opaque formats include proprietary formats that can be read and edited only by
proprietary word processors, SGML or XML for which the DTD and/or processing tools
are not generally available, and the machine-generated HTML, PostScript or PDF
produced by some word processors for output purposes only.
The "Title Page" means, for a printed book, the title page itself, plus such following
pages as are needed to hold, legibly, the material this License requires to appear in the
title page. For works in formats which do not have any title page as such, "Title Page"
means the text near the most prominent appearance of the work’s title, preceding the
beginning of the body of the text.
The "publisher" means any person or entity that distributes copies of the Document to
the public.
A section "Entitled XYZ" means a named subunit of the Document whose title either is
precisely XYZ or contains XYZ in parentheses following text that translates XYZ in
another language. (Here XYZ stands for a specific section name mentioned below, such
as "Acknowledgements", "Dedications", "Endorsements", or "History".) To "Preserve the
Title" of such a section when you modify the Document means that it remains a section
"Entitled XYZ" according to this definition.
The Document may include Warranty Disclaimers next to the notice which states that
this License applies to the Document. These Warranty Disclaimers are considered to be
included by reference in this License, but only as regards disclaiming warranties: any
other implication that these Warranty Disclaimers may have is void and has no effect on
the meaning of this License.
2. VERBATIM COPYING

You may copy and distribute the Document in any medium, either commercially or
noncommercially, provided that this License, the copyright notices, and the license
notice saying this License applies to the Document are reproduced in all copies, and
that you add no other conditions whatsoever to those of this License. You may not use
technical measures to obstruct or control the reading or further copying of the copies
you make or distribute. However, you may accept compensation in exchange for copies.
If you distribute a large enough number of copies you must also follow the conditions
in section 3.
You may also lend copies, under the same conditions stated above, and you may
publicly display copies.
3. COPYING IN QUANTITY
If you publish printed copies (or copies in media that commonly have printed covers) of
the Document, numbering more than 100, and the Document’s license notice requires
Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all
these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the
back cover. Both covers must also clearly and legibly identify you as the publisher of
these copies. The front cover must present the full title with all words of the title equally
prominent and visible. You may add other material on the covers in addition. Copying
with changes limited to the covers, as long as they preserve the title of the Document
and satisfy these conditions, can be treated as verbatim copying in other respects.
If the required texts for either cover are too voluminous to fit legibly, you should put
the first ones listed (as many as fit reasonably) on the actual cover, and continue the
rest onto adjacent pages.
If you publish or distribute Opaque copies of the Document numbering more than 100,
you must either include a machine-readable Transparent copy along with each Opaque
copy, or state in or with each Opaque copy a computer-network location from which
the general network-using public has access to download using public-standard
network protocols a complete Transparent copy of the Document, free of added
material. If you use the latter option, you must take reasonably prudent steps, when
you begin distribution of Opaque copies in quantity, to ensure that this Transparent
copy will remain thus accessible at the stated location until at least one year after the
last time you distribute an Opaque copy (directly or through your agents or retailers) of
that edition to the public.
It is requested, but not required, that you contact the authors of the Document well
before redistributing any large number of copies, to give them a chance to provide you
with an updated version of the Document.
4. MODIFICATIONS

You may copy and distribute a Modified Version of the Document under the conditions
of sections 2 and 3 above, provided that you release the Modified Version under
precisely this License, with the Modified Version filling the role of the Document, thus
licensing distribution and modification of the Modified Version to whoever possesses a
copy of it. In addition, you must do these things in the Modified Version:
1. Use in the Title Page (and on the covers, if any) a title distinct from that of the
Document, and from those of previous versions (which should, if there were any,
be listed in the History section of the Document). You may use the same title as a
previous version if the original publisher of that version gives permission.
2. List on the Title Page, as authors, one or more persons or entities responsible for
authorship of the modifications in the Modified Version, together with at least five
of the principal authors of the Document (all of its principal authors, if it has fewer
than five), unless they release you from this requirement.
3. State on the Title page the name of the publisher of the Modified Version, as the
publisher.
4. Preserve all the copyright notices of the Document.
5. Add an appropriate copyright notice for your modifications adjacent to the other
copyright notices.
6. Include, immediately after the copyright notices, a license notice giving the public
permission to use the Modified Version under the terms of this License, in the form
shown in the Addendum below.
7. Preserve in that license notice the full lists of Invariant Sections and required Cover
Texts given in the Document’s license notice.
8. Include an unaltered copy of this License.
9. Preserve the section Entitled "History", Preserve its Title, and add to it an item
stating at least the title, year, new authors, and publisher of the Modified Version
as given on the Title Page. If there is no section Entitled "History" in the Document,
create one stating the title, year, authors, and publisher of the Document as given
on its Title Page, then add an item describing the Modified Version as stated in the
previous sentence.
10. Preserve the network location, if any, given in the Document for public access to a
Transparent copy of the Document, and likewise the network locations given in the
Document for previous versions it was based on. These may be placed in the
"History" section. You may omit a network location for a work that was published
at least four years before the Document itself, or if the original publisher of the
version it refers to gives permission.

11. For any section Entitled "Acknowledgements" or "Dedications", Preserve the Title
of the section, and preserve in the section all the substance and tone of each of the
contributor acknowledgements and/or dedications given therein.
12. Preserve all the Invariant Sections of the Document, unaltered in their text and in
their titles. Section numbers or the equivalent are not considered part of the
section titles.
13. Delete any section Entitled "Endorsements". Such a section may not be included in
the Modified Version.
14. Do not retitle any existing section to be Entitled "Endorsements" or to conflict in

title with any Invariant Section.
15. Preserve any Warranty Disclaimers.
If the Modified Version includes new front-matter sections or appendices that qualify as
Secondary Sections and contain no material copied from the Document, you may at
your option designate some or all of these sections as invariant. To do this, add their
titles to the list of Invariant Sections in the Modified Version’s license notice. These titles
must be distinct from any other section titles.
You may add a section Entitled "Endorsements", provided it contains nothing but
endorsements of your Modified Version by various parties—for example, statements of
peer review or that the text has been approved by an organization as the authoritative
definition of a standard.
You may add a passage of up to five words as a Front-Cover Text, and a passage of up
to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified
Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be
added by (or through arrangements made by) any one entity. If the Document already
includes a cover text for the same cover, previously added by you or by arrangement
made by the same entity you are acting on behalf of, you may not add another; but you
may replace the old one, on explicit permission from the previous publisher that added
the old one.
The author(s) and publisher(s) of the Document do not by this License give permission
to use their names for publicity for or to assert or imply endorsement of any Modified
Version.
5. COMBINING DOCUMENTS

You may combine the Document with other documents released under this License,
under the terms defined in section 4 above for modified versions, provided that you
include in the combination all of the Invariant Sections of all of the original documents,
unmodified, and list them all as Invariant Sections of your combined work in its license
notice, and that you preserve all their Warranty Disclaimers.
The combined work need only contain one copy of this License, and multiple identical
Invariant Sections may be replaced with a single copy. If there are multiple Invariant
Sections with the same name but different contents, make the title of each such section
unique by adding at the end of it, in parentheses, the name of the original author or
publisher of that section if known, or else a unique number. Make the same adjustment
to the section titles in the list of Invariant Sections in the license notice of the combined
work.
In the combination, you must combine any sections Entitled "History" in the various
original documents, forming one section Entitled "History"; likewise combine any
sections Entitled "Acknowledgements", and any sections Entitled "Dedications". You
must delete all sections Entitled "Endorsements".
6. COLLECTIONS OF DOCUMENTS
You may make a collection consisting of the Document and other documents released
under this License, and replace the individual copies of this License in the various
documents with a single copy that is included in the collection, provided that you
follow the rules of this License for verbatim copying of each of the documents in all
other respects.
You may extract a single document from such a collection, and distribute it individually
under this License, provided you insert a copy of this License into the extracted
document, and follow this License in all other respects regarding verbatim copying of
that document.
7. AGGREGATION WITH INDEPENDENT WORKS

A compilation of the Document or its derivatives with other separate and independent
documents or works, in or on a volume of a storage or distribution medium, is called an
"aggregate" if the copyright resulting from the compilation is not used to limit the legal
rights of the compilation’s users beyond what the individual works permit. When the
Document is included in an aggregate, this License does not apply to the other works in
the aggregate which are not themselves derivative works of the Document.

If the Cover Text requirement of section 3 is applicable to these copies of the

Document, then if the Document is less than one half of the entire aggregate, the
Document’s Cover Texts may be placed on covers that bracket the Document within the
aggregate, or the electronic equivalent of covers if the Document is in electronic form.
Otherwise they must appear on printed covers that bracket the whole aggregate.
8. TRANSLATION
Translation is considered a kind of modification, so you may distribute translations of
the Document under the terms of section 4. Replacing Invariant Sections with
translations requires special permission from their copyright holders, but you may
include translations of some or all Invariant Sections in addition to the original versions
of these Invariant Sections. You may include a translation of this License, and all the
license notices in the Document, and any Warranty Disclaimers, provided that you also
include the original English version of this License and the original versions of those
notices and disclaimers. In case of a disagreement between the translation and the
original version of this License or a notice or disclaimer, the original version will prevail.
If a section in the Document is Entitled "Acknowledgements", "Dedications", or

"History", the requirement (section 4) to Preserve its Title (section 1) will typically
require changing the actual title.
9. TERMINATION
You may not copy, modify, sublicense, or distribute the Document except as expressly
provided under this License. Any attempt otherwise to copy, modify, sublicense, or
distribute it is void, and will automatically terminate your rights under this License.
However, if you cease all violation of this License, then your license from a particular
copyright holder is reinstated (a) provisionally, unless and until the copyright holder
explicitly and finally terminates your license, and (b) permanently, if the copyright
holder fails to notify you of the violation by some reasonable means prior to 60 days
after the cessation.
Moreover, your license from a particular copyright holder is reinstated permanently if

the copyright holder notifies you of the violation by some reasonable means, this is the
first time you have received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after your receipt of the
notice.
Termination of your rights under this section does not terminate the licenses of parties
who have received copies or rights from you under this License. If your rights have
been terminated and not permanently reinstated, receipt of a copy of some or all of the
same material does not give you any rights to use it.

10. FUTURE REVISIONS OF THIS LICENSE

The Free Software Foundation may publish new, revised versions of the GNU Free
Documentation License from time to time. Such new versions will be similar in spirit to
the present version, but may differ in detail to address new problems or concerns. See
http://www.gnu.org/copyleft/.
Each version of the License is given a distinguishing version number. If the Document
specifies that a particular numbered version of this License "or any later version" applies
to it, you have the option of following the terms and conditions either of that specified
version or of any later version that has been published (not as a draft) by the Free
Software Foundation. If the Document does not specify a version number of this
License, you may choose any version ever published (not as a draft) by the Free
Software Foundation. If the Document specifies that a proxy can decide which future
versions of this License can be used, that proxy’s public statement of acceptance of a
version permanently authorizes you to choose that version for the Document.
11. RELICENSING
"Massive Multiauthor Collaboration Site" (or "MMC Site") means any World Wide Web
server that publishes copyrightable works and also provides prominent facilities for
anybody to edit those works. A public wiki that anybody can edit is an example of such
a server. A "Massive Multiauthor Collaboration" (or "MMC") contained in the site means
any set of copyrightable works thus published on the MMC site.
"CC-BY-SA" means the Creative Commons Attribution-Share Alike 3.0 license published
by Creative Commons Corporation, a not-for-profit corporation with a principal place
of business in San Francisco, California, as well as future copyleft versions of that license
published by that same organization.
"Incorporate" means to publish or republish a Document, in whole or in part, as part of

another Document.
An MMC is "eligible for relicensing" if it is licensed under this License, and if all works
that were first published under this License somewhere other than this MMC, and
subsequently incorporated in whole or in part into the MMC, (1) had no cover texts or
invariant sections, and (2) were thus incorporated prior to November 1, 2008.
The operator of an MMC Site may republish an MMC contained in the site under CC-
BY-SA on the same site at any time before August 1, 2009, provided the MMC is eligible
for relicensing.

Libewf - Expert Witness Compression Format (EWF) .Asciidoc at Master Libyal - Libewf GitHub

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Libewf - Expert Witness Compression Format (EWF) .Asciidoc at Master Libyal - Libewf GitHub

Uploaded by

Copyright:

Available Formats

28/8/2020 libewf/Expert Witness Compression Format (EWF).

asciidoc at master · libyal/libewf · GitHub

Code Issues 22 Pull requests 5 Actions Projects Wiki Security Insights

libewf / documentation / Expert Witness Compression Format (EWF).asciidoc

3888 lines (3064 sloc) 138 KB

https://github.com/libyal/libewf/blob/master/documentation/Expert Witness Compression Format %28EWF%29.asciidoc 1/111

Author(s): Joachim Metz <joachim.metz@gmail.com>

Abstract: This document contains the EWF file format specification.

Expert Witness Compression Format, EWF, EnCase file format,

Copyright (C) 2006-2019, Joachim Metz <joachim.metz@gmail.com>.

Version Author Date Comments

https://github.com/libyal/libewf/blob/master/documentation/Expert Witness Compression Format %28EWF%29.asciidoc 2/111

Version Author Date Comments

J.B. Additional information, regarding data

J.B. Additional information, regarding data

J.B. Additional information, regarding data,

J.B. Additional information, regarding data

Additional information, regarding chunk

J.B. Correction regarding EnCase 3 and

Small changes regarding unknown in

https://github.com/libyal/libewf/blob/master/documentation/Expert Witness Compression Format %28EWF%29.asciidoc 3/111

Version Author Date Comments

J.B. Small adjustments regarding header

J.B. Adjustments in error2 section

J.B. Adjustments in hash section

J.B. Fixed error in EnCase 4 header2 layout

Added information regarding SMART

J.B. Added information regarding SMART

J.B. Added information about segment file

J.B. Added information about EWF-L01 (LVF)

J.B. Added information from EWF-L01

J.B. Changes after comments by Guy

J.B. Corrected error regarding EnCase 1 and

https://github.com/libyal/libewf/blob/master/documentation/Expert Witness Compression Format %28EWF%29.asciidoc 4/111

Version Author Date Comments

Additional information about section

J.B. Additional information about CRC

Fixed error regarding the location of the

J.B. Additional information about the EnCase

J.B. Corrected error regarding header

Added new information regarding the

Corrected misinterpretation of original

https://github.com/libyal/libewf/blob/master/documentation/Expert Witness Compression Format %28EWF%29.asciidoc 5/111

Version Author Date Comments

Added information about

J.B. Added information about EnCase 6.7

Added information about EnCase 6.7

J.B. Added information about EnCase 6.7

J.B. Added information about session

J.B. Added information about session

J.B. Added information about EnCase 6

J.B. Added information about EnCase 6.11

https://github.com/libyal/libewf/blob/master/documentation/Expert Witness Compression Format %28EWF%29.asciidoc 6/111

Version Author Date Comments

J.B. Added information about EnCase 6.12

J.B. Added information about EnCase

J.B. Added information about EnCase 6.13

J.B. Corrected amount of into number of.

Additional session section information

Minor changes and improvements with

https://github.com/libyal/libewf/blob/master/documentation/Expert Witness Compression Format %28EWF%29.asciidoc 7/111

Version Author Date Comments

License version update