EnCase evidence fil...
 
Notifications
Clear all

EnCase evidence file format

5 Posts
5 Users
0 Likes
707 Views
(@sdhar)
Posts: 1
New Member
Topic starter
 

Does anyone know the file format of the EnCase evidence files?

I have an EnCase image that is corrupt, i need to pull off just the image within the evidence file. Is there a software that repairs corrupt EnCase evidence files?

Thanks.
Sub

 
Posted : 12/09/2005 4:51 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Sub,

Have you tried the EnCase list(s)/forum(s) at Guidance Software? My understanding is that they have some pretty good info over there…you just need to be a registered user.

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

 
Posted : 13/09/2005 6:04 am
(@gmarshall139)
Posts: 378
Reputable Member
 

There was some talk about this as a feature request on the Guidance forum. To my knowledge nothing has been added to date. I'm not sure what is corrupt, but it would seem that if the corruption were in the data portion of the evidence file you would be able to open the image, it would just not verify. Have you looked at the image with a hex editor? Perhaps the problem is in the header and you can fix it by cutting & pasting one from a good evidence file.

 
Posted : 13/09/2005 6:55 am
Wardy
(@wardy)
Posts: 149
Estimable Member
 

Hi,
I believe SMART for linux may be able to access corrupt encase files. Providing its not the first few sectors of the EO1 file, you should be able to access everything apart from the corrupt data. Hope this helps.

 
Posted : 14/10/2005 2:50 pm
(@zyborski)
Posts: 12
Active Member
 

This may be of some help to you…….

http//www.asrdata.com/SMART/whitepaper.html

This paper documents the 'Expert Witness" file format, which became the Encase file format.

Regards

Zyborski

 
Posted : 15/10/2005 7:18 pm
Share: