The EnCase Evidence File Format

The EnCase evidence file can also be referred to as a forensic image file. The concept of an image file is where the entire drive contents of a target media is copied to a file and checksum values are calculated to verify the integrity (useful in court cases) of the image file (often referred to as a “hash value”). Forensic images are acquired with the use of software tools such as the UNIX “dd’ and FTK Imager as well as hardware were cloning devices such as the Solo Masster and Logicube’s MD5 have added forensic functionality.

One major difference between the above mentioned techniques to acquire image files and the EnCase image files is the “bag-and-tag” concept. The UNIX “dd” and many of the hardware cloning devices only provide the bit-for-bit information during acquisition. EnCase on the other hand provides the bit-for-bit data as well as additional data such as case information; data block integrity and file integrity to name a few. These functions are built into the EnCase imaging process for interoperability and ease of use. If the same function were to be implemented using the UNIX “dd” or the hardware options, this process would require many different tools and multiple steps to obtain the same results.

My next posting will be on the “EnCase Evidence File Components and Functions”.