Loading ...
Sorry, an error occurred while loading the content.

BTY: [linux_forensics] EWF and Ex01

Expand Messages
  • Harvey Rothenberg
    Back To You: Jon, If you check.  You will find that this is the same link as the previous one below in my message, and I presented Daniel s comment, I
    Message 1 of 13 , Apr 27 6:32 AM
    View Source
    • 0 Attachment
      Back To You:
      Jon,

      If you check.  You will find that this is the same link as the previous one below in my message, and I presented Daniel's comment, " I downloaded it and had a look; it’s only 11 pages long and seems a little sparse considering its purpose." 

      So it has not been reviewed by developer, like Brian Carrier, yet and commented upon within this group discussion.  So,  I would still accept Daniel's comment, at this time.

      So,  I am, at this time, still waiting and watching the net for any developer's independent review and commenting.

      I still thank you for bring this to our attention.

      Regards,
      Harvey Rothenberg
      Systems Integrator

      "Experience is a hard teacher because she gives the test first, the lesson afterwards." -- Unknown

      --- On Fri, 4/27/12, Echo6 <echo6_uk@...> wrote:

      From: Echo6 <echo6_uk@...>
      Subject: Re: [linux_forensics] EWF and Ex01
      To: "linux_forensics@yahoogroups.com" <linux_forensics@yahoogroups.com>, "forensic28sa@..." <forensic28sa@...>
      Date: Friday, April 27, 2012, 5:51 AM








       









      They (GSI) have made a white paper available on the new format for download from their web site and support portal



      http://www.guidancesoftware.com/DocumentRegistration.aspx?did=1000018246



      EnCase® Evidence File Format Version 2 - Technical Specification



      Jon.



      ________________________________

      From: Daniel Walton <d.walton@...>

      To: "forensic28sa@..." <forensic28sa@...>

      Cc: "linux_forensics@yahoogroups.com" <linux_forensics@yahoogroups.com>

      Sent: Thursday, April 26, 2012 11:34 PM

      Subject: Re: [linux_forensics] EWF and Ex01





       

      Great news. Look forward to seeing it implemented.



      Sent from Samsung Mobile



      -------- Original message --------

      Subject: BTY: [linux_forensics] EWF and Ex01

      From: Harvey Rothenberg <forensic28sa@...>

      To: Daniel Walton <d.walton@...>

      CC: "linux_forensics@yahoogroups.com" <linux_forensics@yahoogroups.com>



      Back to You:

      Daniel,



      --- On Wed, 4/25/12, Daniel Walton <d.walton@...> wrote:



      From: Daniel Walton <d.walton@...>

      Subject: RE: [linux_forensics] EWF and Ex01

      To: "Harvey Rothenberg" <forensic28sa@...>

      Date: Wednesday, April 25, 2012, 8:06 PM



      Hi Harvey



      Can your friend provide sources for his claim that the Ex01 format is open sourced?



      My friend replied with, " I have been told repeatedly by Guidance Software employees that the new standard is being released openly so anyone can implement it. "



      If that’s the case then we the community can collaborate on the future growth of this format, although I would be surprised I haven’t found anything saying anything like that.



      Sadly the link you gave me is the same link that JBMetz comments on in the sourceforge forum post I forwarded.



      If you click on the link below and go have a look you will see it’s the same link which JBMetz is asked about.



      I downloaded it and had a look; it’s only 11 pages long and seems a little sparse considering its purpose. It would be a positive sign for Guidance if they have released the full specification allowing others to re-implement the format in their software.



      My friend is also a programmer and he feels, " It appears to be all the details needed, it’s just not very clearly written. But a strong C++ programmer could likely make sense of it. Unless there is more documentation coming….



      I would inject that maybe the author of this document assumed a certain level of capabilities and wrote for that audience. Usually if you want a community to support an effort, you write for more of a beginner's audience for your work to surely to be understood.



      Regards,



      Harvey Rothenberg



      http://sourceforge.net/tracker/index.php?func=detail&aid=3509854&group_id=167783&atid=844315

      <quote>

      Date: 2012-03-21 13:16:11 PDT

      Sender: jbmetz<http://sourceforge.net/users/jbmetz/>[cid:image001.png@01CD1E15.D1DEF9D0]<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=%2F<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=/>>



      Ex01/Lx01 is actually a completely different format, at the lower level.

      Guidance has released part of the format specification.



      For now I lack the time to do anything serious on Ex01.

      Will be hard to implement if Guidance has only released part of the format, this is not an encouraging sign. It may be a Microsoft/Apple like move to use proprietary formats to force others to license their new format as an additional revenue stream.



      </quote>



      From: Harvey Rothenberg [mailto:forensic28sa@...]

      Sent: Thursday, 26 April 2012 5:09 AM

      To: linux_forensics@yahoogroups.com

      Cc: Daniel Walton; simsong@...; carrier@...; cmurphy@...

      Subject: BTY: [linux_forensics] EWF and Ex01



      Back To You:



      Mr. Daniel Walton,



      I agree with your last statement whole heartily, but Guidance is very much into the software business, now. ( ... better idea to encourage Guidance to support the open AFFLIB evidence format. Access Data ... already support it. )



      In an effort to keep the members of the group fully informed and reporting as the information is learned, I present the following :



      The developer of libewf - "jbmetz" stated below, that "... Guidance has only released part of the format ...". I would like to bring to the attention of jbmetz and yourself, that a friend investigator has brought to my attention that this seems to be not quite correct. He believes that this documentation is FULL available AND open sourced. I present the following to this Group and the public, this link to the download link :



      EnCase Evidence File Format Version 2



      This document outlines the technical details of the updated EnCase® evidence file format version 2 (Ex01) so that developers can customize their applications to integrate with the new format. It describes the details, data structures, and algorithms behind Ex01.



      http://www.guidancesoftware.com/DocumentRegistration.aspx?did=1000018246&instant=1



      I can not speak to the accuracy of these statements but to report them to you. I also have not registered to download and evaluate if this documentation is truly a full disclosure or not. I hope someone else could make comment on this subject that would be more qualified to make this call. So I present this follow-up information back to the group for further comment and investigation.



      I can only say that if my first posting is correct, this would be very upsetting to the whole field and disruptive, too.



      Regards,

      Harvey Rothenberg

      Systems Integrator/Security Specialist



      --- On Wed, 4/18/12, Daniel Walton <d.walton@...> wrote:



      From: Daniel Walton <d.walton@...>

      Subject: RE: [linux_forensics] EWF and Ex01

      To: "linux_forensics@yahoogroups.com" <linux_forensics@yahoogroups.com>

      Date: Wednesday, April 18, 2012, 8:21 PM



      Doesn't look like it.

      The below is a quote from jbmetz the developer of the libewf toolkit.



      http://sourceforge.net/tracker/index.php?func=detail&aid=3509854&group_id=167783&atid=844315



      Date: 2012-03-21 13:16:11 PDT

      Sender: jbmetz<http://sourceforge.net/users/jbmetz/>[cid:image001.png@01CD1E15.D1DEF9D0]<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=%2F<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=/>>



      Ex01/Lx01 is actually a completely different format, at the lower level.

      Guidance has released part of the format specification.



      For now I lack the time to do anything serious on Ex01.

      Will be hard to implement if Guidance has only released part of the format, this is not an encouraging sign. It may be a Microsoft/Apple like move to use proprietary formats to force others to license their new format as an additional revenue stream.



      It's probably a better idea to encourage Guidance to support the open AFFLIB evidence format. Access Data's Forensic Tool Kit and FTK imager already support it. It would be a lot nicer for us if the commercial forensic software companies supported open formats as well as opening their proprietary formats.



      From: linux_forensics@yahoogroups.com [mailto:linux_forensics@yahoogroups.com] On Behalf Of Ketil Froyn

      Sent: Wednesday, 18 April 2012 12:16 AM

      To: linux_forensics@yahoogroups.com

      Subject: [linux_forensics] EWF and Ex01



      Anyone know if there is work being done to implement support for

      EnCase v7's new Ex01 file format in libewf or other open source

      libraries? Otherwise I guess all the open source tools will be less

      useful as Ex01 file format adoption increases.



      Cheers, Ketil



      Click here<https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg== to report this email as spam.



      [Non-text portions of this message have been removed]



      <https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==>



      [Non-text portions of this message have been removed]



      [Non-text portions of this message have been removed]






















      [Non-text portions of this message have been removed]
    • Harvey Rothenberg
      Back To You - All : A Mr. Ken Basore from Guidance replied to my posting in another discussion group, here is what he said ( I have added some bolding and
      Message 2 of 13 , Apr 30 1:53 PM
      View Source
      • 0 Attachment
        Back To You - All :

        A Mr. Ken Basore from Guidance replied to my posting in another discussion group, here is what he said ( I have added some bolding and other reading enhancements to help in the information's readability ) :

        For clarification, the Ex01 format that Guidance Software introduced in
        Version 7 is an open format, and can be implemented without a license or fee.  Guidance has published the specification for the format, and we have worked with 2 other developers who are currently finishing their own implementation of it.  In working with these developers, we have discovered that there is additional information that may be of help, so we are currently revising the spec to include this information and will publish an update shortly.  In the meantime, if anyone has a question about the spec, we will be happy to answer questions and provide assistance in understanding the changes.

        Guidance Software introduced the changes in our evidence file format to account for additional functionality that we want to provide our users. This includes the ability to encrypt the data area of the file while
        maintaining the ability to verify the file without decrypting, the ability
        to support future HASH algorithms and the ability to support future
        compression algorithms.  The E01 format was created over 10 years ago, and the updated format also has improvements in creation and access speed, provides flexibility in the order that data is written into the file, as well as a better ability to deal with lost or damaged segments.

        If anyone has questions about the new format, please contact us.  As I
        indicated above, the specification is openly available and we will work with any developer that might need additional information in order to implement it.


        =-=-=-=-=-=

        Like Mr. Rosen said, " Thank you for the clarification.  Can you please point me to the published specification? ". 

        I too, Thank You ! especially for the quick response to these previous postings.  I was only just able to receive and review your reply today.

        Mr. Basore, then had another posting with the added information of an overview and stated, " EnCase will continue to support the legacy E01 format, as we know many
        of our users rely on it.  We also understand that users will need time
        to test the new format for themselves.  There is no plan to drop support
        for E01, but we wanted to provide expanded functionality for our users
        that just is not possible in the legacy format. "

        I understand that there might be concerns about the structure of the new
        file format, so I have provided below the first few sections of the
        published Specification that will clarify some of the concerns that
        there may be.  As I have indicated before, if anyone has any questions
        about the new format, please feel free to contact us.

        ----Excerpt from "EnCase Evidence File Format Version 2 - Technical Specification" ----

        Overview

        The
        existing EnCase evidence file has performed well for over a decade. It
        is court-validated, well-known, and adopted in the industry. Despite its
        effectiveness, some limitations remain that can only be overcome with
        an updated evidence file format.
         
        This document outlines the
        technical details of the updated EnCase evidence file format version 2
        (Ex01) so that developers can customize their applications to integrate
        with the new format. It describes the details, data structures, and
        algorithms behind Ex01.

        The intended audience of this document is a
        technical reader with a forensic background and familiarity with C-style
        binary structure layout and algorithms.

        Comparison of E01 and Ex01 Formats

        Many
        of the central design principles of the E01 format have been retained;
        implementers familiar with the E01 structure will find the Ex01 format
        similar.  The Ex01 format still stores data in blocks that are verified
        with an individual 32-bit CRC, and all of the source data stored in the
        file is hashed with the MD5 and/or SHA-1 algorithms if requested by the
        user.  The Ex01 enhancements do not affect features of the file such as
        these that many courts have relied on to rule that the file is an
        accepted container of original evidence; the additions merely facilitate
        the ability to track and handle new characteristics of the stored data.

        Ex01 Capabilities

        The new Ex01 format introduces the following capabilities:
        Support for encryption of the data.Ability to use different compression algorithms. Improved support for multi-threaded acquisitions, where sectors can be out of order.Efficient storage and handling of sector blocks that are filled with the same pattern (such as 00-byte fills).Alignment considerations to improve efficiency and performance.Improved support for resuming acquisitions.Internal improvements of the data structures.
        While
        some of this new functionality is not yet fully leveraged in the
        current version, all necessary data is stored, the data structures
        support expansions, and subsequent versions will use this new format to
        its fullest.
        ----End excerpt

        Ken Basore | Sr. Vice President, R&D | Guidance Software, Inc.

        215 N. Marengo Ave., 2nd Floor | Pasadena, CA  91101

        Phone: 626-229-9191 | Fax: 626-229-9199

        Ken.Basore@...  |  www.GuidanceSoftware.com


        I have join the SourceForge and I will present this information to "jbmetz" as soon as my login is enable. So, Mr. Walton will not have to forward this information, unless he wishes to.  I will post it as a comment to this specific request for his library.

        I am happy to have helped all in this specific concern for the digital forensic community.

        Regards,

        Harvey Rothenberg
        Systems Integrator/Security Specialist

        --- On Fri, 4/27/12, Echo6 <echo6_uk@...> wrote:

        From: Echo6 <echo6_uk@...>
        Subject: Re: [linux_forensics] EWF and Ex01
        To: "linux_forensics@yahoogroups.com" <linux_forensics@yahoogroups.com>, "forensic28sa@..." <forensic28sa@...>
        Date: Friday, April 27, 2012, 5:51 AM








         









        They (GSI) have made a white paper available on the new format for download from their web site and support portal



        http://www.guidancesoftware.com/DocumentRegistration.aspx?did=1000018246



        EnCase® Evidence File Format Version 2 - Technical Specification



        Jon.



        ________________________________

        From: Daniel Walton <d.walton@...>

        To: "forensic28sa@..." <forensic28sa@...>

        Cc: "linux_forensics@yahoogroups.com" <linux_forensics@yahoogroups.com>

        Sent: Thursday, April 26, 2012 11:34 PM

        Subject: Re: [linux_forensics] EWF and Ex01





         

        Great news. Look forward to seeing it implemented.



        Sent from Samsung Mobile



        -------- Original message --------

        Subject: BTY: [linux_forensics] EWF and Ex01

        From: Harvey Rothenberg <forensic28sa@...>

        To: Daniel Walton <d.walton@...>

        CC: "linux_forensics@yahoogroups.com" <linux_forensics@yahoogroups.com>



        Back to You:

        Daniel,



        --- On Wed, 4/25/12, Daniel Walton <d.walton@...> wrote:



        From: Daniel Walton <d.walton@...>

        Subject: RE: [linux_forensics] EWF and Ex01

        To: "Harvey Rothenberg" <forensic28sa@...>

        Date: Wednesday, April 25, 2012, 8:06 PM



        Hi Harvey



        Can your friend provide sources for his claim that the Ex01 format is open sourced?



        My friend replied with, " I have been told repeatedly by Guidance Software employees that the new standard is being released openly so anyone can implement it. "



        If that’s the case then we the community can collaborate on the future growth of this format, although I would be surprised I haven’t found anything saying anything like that.



        Sadly the link you gave me is the same link that JBMetz comments on in the sourceforge forum post I forwarded.



        If you click on the link below and go have a look you will see it’s the same link which JBMetz is asked about.



        I downloaded it and had a look; it’s only 11 pages long and seems a little sparse considering its purpose. It would be a positive sign for Guidance if they have released the full specification allowing others to re-implement the format in their software.



        My friend is also a programmer and he feels, " It appears to be all the details needed, it’s just not very clearly written. But a strong C++ programmer could likely make sense of it. Unless there is more documentation coming….



        I would inject that maybe the author of this document assumed a certain level of capabilities and wrote for that audience. Usually if you want a community to support an effort, you write for more of a beginner's audience for your work to surely to be understood.



        Regards,



        Harvey Rothenberg



        http://sourceforge.net/tracker/index.php?func=detail&aid=3509854&group_id=167783&atid=844315

        <quote>

        Date: 2012-03-21 13:16:11 PDT

        Sender: jbmetz<http://sourceforge.net/users/jbmetz/>[cid:image001.png@01CD1E15.D1DEF9D0]<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=%2F<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=/>>



        Ex01/Lx01 is actually a completely different format, at the lower level.

        Guidance has released part of the format specification.



        For now I lack the time to do anything serious on Ex01.

        Will be hard to implement if Guidance has only released part of the format, this is not an encouraging sign. It may be a Microsoft/Apple like move to use proprietary formats to force others to license their new format as an additional revenue stream.



        </quote>



        From: Harvey Rothenberg [mailto:forensic28sa@...]

        Sent: Thursday, 26 April 2012 5:09 AM

        To: linux_forensics@yahoogroups.com

        Cc: Daniel Walton; simsong@...; carrier@...; cmurphy@...

        Subject: BTY: [linux_forensics] EWF and Ex01



        Back To You:



        Mr. Daniel Walton,



        I agree with your last statement whole heartily, but Guidance is very much into the software business, now. ( ... better idea to encourage Guidance to support the open AFFLIB evidence format. Access Data ... already support it. )



        In an effort to keep the members of the group fully informed and reporting as the information is learned, I present the following :



        The developer of libewf - "jbmetz" stated below, that "... Guidance has only released part of the format ...". I would like to bring to the attention of jbmetz and yourself, that a friend investigator has brought to my attention that this seems to be not quite correct. He believes that this documentation is FULL available AND open sourced. I present the following to this Group and the public, this link to the download link :



        EnCase Evidence File Format Version 2



        This document outlines the technical details of the updated EnCase® evidence file format version 2 (Ex01) so that developers can customize their applications to integrate with the new format. It describes the details, data structures, and algorithms behind Ex01.



        http://www.guidancesoftware.com/DocumentRegistration.aspx?did=1000018246&instant=1



        I can not speak to the accuracy of these statements but to report them to you. I also have not registered to download and evaluate if this documentation is truly a full disclosure or not. I hope someone else could make comment on this subject that would be more qualified to make this call. So I present this follow-up information back to the group for further comment and investigation.



        I can only say that if my first posting is correct, this would be very upsetting to the whole field and disruptive, too.



        Regards,

        Harvey Rothenberg

        Systems Integrator/Security Specialist



        --- On Wed, 4/18/12, Daniel Walton <d.walton@...> wrote:



        From: Daniel Walton <d.walton@...>

        Subject: RE: [linux_forensics] EWF and Ex01

        To: "linux_forensics@yahoogroups.com" <linux_forensics@yahoogroups.com>

        Date: Wednesday, April 18, 2012, 8:21 PM



        Doesn't look like it.

        The below is a quote from jbmetz the developer of the libewf toolkit.



        http://sourceforge.net/tracker/index.php?func=detail&aid=3509854&group_id=167783&atid=844315



        Date: 2012-03-21 13:16:11 PDT

        Sender: jbmetz<http://sourceforge.net/users/jbmetz/>[cid:image001.png@01CD1E15.D1DEF9D0]<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=%2F<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=/>>



        Ex01/Lx01 is actually a completely different format, at the lower level.

        Guidance has released part of the format specification.



        For now I lack the time to do anything serious on Ex01.

        Will be hard to implement if Guidance has only released part of the format, this is not an encouraging sign. It may be a Microsoft/Apple like move to use proprietary formats to force others to license their new format as an additional revenue stream.



        It's probably a better idea to encourage Guidance to support the open AFFLIB evidence format. Access Data's Forensic Tool Kit and FTK imager already support it. It would be a lot nicer for us if the commercial forensic software companies supported open formats as well as opening their proprietary formats.



        From: linux_forensics@yahoogroups.com [mailto:linux_forensics@yahoogroups.com] On Behalf Of Ketil Froyn

        Sent: Wednesday, 18 April 2012 12:16 AM

        To: linux_forensics@yahoogroups.com

        Subject: [linux_forensics] EWF and Ex01



        Anyone know if there is work being done to implement support for

        EnCase v7's new Ex01 file format in libewf or other open source

        libraries? Otherwise I guess all the open source tools will be less

        useful as Ex01 file format adoption increases.



        Cheers, Ketil



        Click here<https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg== to report this email as spam.



        [Non-text portions of this message have been removed]



        <https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==>



        [Non-text portions of this message have been removed]



        [Non-text portions of this message have been removed]






















        [Non-text portions of this message have been removed]
      • Daniel Walton
        Thanks for the update Harvey. Re “Guidance has published the specification for the format, and we have worked with 2 other developers who are currently
        Message 3 of 13 , Apr 30 3:48 PM
        View Source
        • 0 Attachment
          Thanks for the update Harvey.

          Re “Guidance has published the specification for the format, and we have worked with 2 other developers who are currently finishing their own implementation of it”

          Be interested to find out more about these implementations, sounds interesting.


          From: linux_forensics@yahoogroups.com [mailto:linux_forensics@yahoogroups.com] On Behalf Of Harvey Rothenberg
          Sent: Tuesday, 1 May 2012 6:54 AM
          To: linux_forensics@yahoogroups.com; Daniel Walton; eric.zimmerman@...
          Cc: echo6_uk@...; ketil@...; Cindy Murphy; carrier@...; simsong@...
          Subject: BTY: [linux_forensics] EWF and Ex01 Received Reply from Guidance ....



          Back To You - All :

          A Mr. Ken Basore from Guidance replied to my posting in another discussion group, here is what he said ( I have added some bolding and other reading enhancements to help in the information's readability ) :

          For clarification, the Ex01 format that Guidance Software introduced in
          Version 7 is an open format, and can be implemented without a license or fee. Guidance has published the specification for the format, and we have worked with 2 other developers who are currently finishing their own implementation of it. In working with these developers, we have discovered that there is additional information that may be of help, so we are currently revising the spec to include this information and will publish an update shortly. In the meantime, if anyone has a question about the spec, we will be happy to answer questions and provide assistance in understanding the changes.

          Guidance Software introduced the changes in our evidence file format to account for additional functionality that we want to provide our users. This includes the ability to encrypt the data area of the file while
          maintaining the ability to verify the file without decrypting, the ability
          to support future HASH algorithms and the ability to support future
          compression algorithms. The E01 format was created over 10 years ago, and the updated format also has improvements in creation and access speed, provides flexibility in the order that data is written into the file, as well as a better ability to deal with lost or damaged segments.

          If anyone has questions about the new format, please contact us. As I
          indicated above, the specification is openly available and we will work with any developer that might need additional information in order to implement it.

          =-=-=-=-=-=

          Like Mr. Rosen said, " Thank you for the clarification. Can you please point me to the published specification? ".

          I too, Thank You ! especially for the quick response to these previous postings. I was only just able to receive and review your reply today.

          Mr. Basore, then had another posting with the added information of an overview and stated, " EnCase will continue to support the legacy E01 format, as we know many
          of our users rely on it. We also understand that users will need time
          to test the new format for themselves. There is no plan to drop support
          for E01, but we wanted to provide expanded functionality for our users
          that just is not possible in the legacy format. "

          I understand that there might be concerns about the structure of the new
          file format, so I have provided below the first few sections of the
          published Specification that will clarify some of the concerns that
          there may be. As I have indicated before, if anyone has any questions
          about the new format, please feel free to contact us.

          ----Excerpt from "EnCase Evidence File Format Version 2 - Technical Specification" ----

          Overview

          The
          existing EnCase evidence file has performed well for over a decade. It
          is court-validated, well-known, and adopted in the industry. Despite its
          effectiveness, some limitations remain that can only be overcome with
          an updated evidence file format.

          This document outlines the
          technical details of the updated EnCase evidence file format version 2
          (Ex01) so that developers can customize their applications to integrate
          with the new format. It describes the details, data structures, and
          algorithms behind Ex01.

          The intended audience of this document is a
          technical reader with a forensic background and familiarity with C-style
          binary structure layout and algorithms.

          Comparison of E01 and Ex01 Formats

          Many
          of the central design principles of the E01 format have been retained;
          implementers familiar with the E01 structure will find the Ex01 format
          similar. The Ex01 format still stores data in blocks that are verified
          with an individual 32-bit CRC, and all of the source data stored in the
          file is hashed with the MD5 and/or SHA-1 algorithms if requested by the
          user. The Ex01 enhancements do not affect features of the file such as
          these that many courts have relied on to rule that the file is an
          accepted container of original evidence; the additions merely facilitate
          the ability to track and handle new characteristics of the stored data.

          Ex01 Capabilities

          The new Ex01 format introduces the following capabilities:
          Support for encryption of the data.Ability to use different compression algorithms. Improved support for multi-threaded acquisitions, where sectors can be out of order.Efficient storage and handling of sector blocks that are filled with the same pattern (such as 00-byte fills).Alignment considerations to improve efficiency and performance.Improved support for resuming acquisitions.Internal improvements of the data structures.
          While
          some of this new functionality is not yet fully leveraged in the
          current version, all necessary data is stored, the data structures
          support expansions, and subsequent versions will use this new format to
          its fullest.
          ----End excerpt

          Ken Basore | Sr. Vice President, R&D | Guidance Software, Inc.

          215 N. Marengo Ave., 2nd Floor | Pasadena, CA 91101

          Phone: 626-229-9191 | Fax: 626-229-9199

          Ken.Basore@...<mailto:Ken.Basore%40GuidanceSoftware.com> | www.GuidanceSoftware.com<http://www.GuidanceSoftware.com>

          I have join the SourceForge and I will present this information to "jbmetz" as soon as my login is enable. So, Mr. Walton will not have to forward this information, unless he wishes to. I will post it as a comment to this specific request for his library.

          I am happy to have helped all in this specific concern for the digital forensic community.

          Regards,

          Harvey Rothenberg
          Systems Integrator/Security Specialist

          --- On Fri, 4/27/12, Echo6 <echo6_uk@...<mailto:echo6_uk%40yahoo.com>> wrote:

          From: Echo6 <echo6_uk@...<mailto:echo6_uk%40yahoo.com>>
          Subject: Re: [linux_forensics] EWF and Ex01
          To: "linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>" <linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>>, "forensic28sa@...<mailto:forensic28sa%40yahoo.com>" <forensic28sa@...<mailto:forensic28sa%40yahoo.com>>
          Date: Friday, April 27, 2012, 5:51 AM



          They (GSI) have made a white paper available on the new format for download from their web site and support portal

          http://www.guidancesoftware.com/DocumentRegistration.aspx?did=1000018246

          EnCase® Evidence File Format Version 2 - Technical Specification

          Jon.

          ________________________________

          From: Daniel Walton <d.walton@...<mailto:d.walton%40elaw.com.au>>

          To: "forensic28sa@...<mailto:forensic28sa%40yahoo.com>" <forensic28sa@...<mailto:forensic28sa%40yahoo.com>>

          Cc: "linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>" <linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>>

          Sent: Thursday, April 26, 2012 11:34 PM

          Subject: Re: [linux_forensics] EWF and Ex01



          Great news. Look forward to seeing it implemented.

          Sent from Samsung Mobile

          -------- Original message --------

          Subject: BTY: [linux_forensics] EWF and Ex01

          From: Harvey Rothenberg <forensic28sa@...<mailto:forensic28sa%40yahoo.com>>

          To: Daniel Walton <d.walton@...<mailto:d.walton%40elaw.com.au>>

          CC: "linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>" <linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>>

          Back to You:

          Daniel,

          --- On Wed, 4/25/12, Daniel Walton <d.walton@...<mailto:d.walton%40elaw.com.au>> wrote:

          From: Daniel Walton <d.walton@...<mailto:d.walton%40elaw.com.au>>

          Subject: RE: [linux_forensics] EWF and Ex01

          To: "Harvey Rothenberg" <forensic28sa@...<mailto:forensic28sa%40yahoo.com>>

          Date: Wednesday, April 25, 2012, 8:06 PM

          Hi Harvey

          Can your friend provide sources for his claim that the Ex01 format is open sourced?

          My friend replied with, " I have been told repeatedly by Guidance Software employees that the new standard is being released openly so anyone can implement it. "

          If that’s the case then we the community can collaborate on the future growth of this format, although I would be surprised I haven’t found anything saying anything like that.

          Sadly the link you gave me is the same link that JBMetz comments on in the sourceforge forum post I forwarded.

          If you click on the link below and go have a look you will see it’s the same link which JBMetz is asked about.

          I downloaded it and had a look; it’s only 11 pages long and seems a little sparse considering its purpose. It would be a positive sign for Guidance if they have released the full specification allowing others to re-implement the format in their software.

          My friend is also a programmer and he feels, " It appears to be all the details needed, it’s just not very clearly written. But a strong C++ programmer could likely make sense of it. Unless there is more documentation coming….

          I would inject that maybe the author of this document assumed a certain level of capabilities and wrote for that audience. Usually if you want a community to support an effort, you write for more of a beginner's audience for your work to surely to be understood.

          Regards,

          Harvey Rothenberg

          http://sourceforge.net/tracker/index.php?func=detail&aid=3509854&group_id=167783&atid=844315

          <quote>

          Date: 2012-03-21 13:16:11 PDT

          Sender: jbmetz<http://sourceforge.net/users/jbmetz/>[cid:image001.png@01CD1E15.D1DEF9D0<mailto:image001.png%4001CD1E15.D1DEF9D0>]<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=%2F<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=/>>

          Ex01/Lx01 is actually a completely different format, at the lower level.

          Guidance has released part of the format specification.

          For now I lack the time to do anything serious on Ex01.

          Will be hard to implement if Guidance has only released part of the format, this is not an encouraging sign. It may be a Microsoft/Apple like move to use proprietary formats to force others to license their new format as an additional revenue stream.

          </quote>

          From: Harvey Rothenberg [mailto:forensic28sa@...<mailto:forensic28sa%40yahoo.com>]

          Sent: Thursday, 26 April 2012 5:09 AM

          To: linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>

          Cc: Daniel Walton; simsong@...<mailto:simsong%40acm.org>; carrier@...<mailto:carrier%40digital-evidence.org>; cmurphy@...<mailto:cmurphy%40cityofmadison.com>

          Subject: BTY: [linux_forensics] EWF and Ex01

          Back To You:

          Mr. Daniel Walton,

          I agree with your last statement whole heartily, but Guidance is very much into the software business, now. ( ... better idea to encourage Guidance to support the open AFFLIB evidence format. Access Data ... already support it. )

          In an effort to keep the members of the group fully informed and reporting as the information is learned, I present the following :

          The developer of libewf - "jbmetz" stated below, that "... Guidance has only released part of the format ...". I would like to bring to the attention of jbmetz and yourself, that a friend investigator has brought to my attention that this seems to be not quite correct. He believes that this documentation is FULL available AND open sourced. I present the following to this Group and the public, this link to the download link :

          EnCase Evidence File Format Version 2

          This document outlines the technical details of the updated EnCase® evidence file format version 2 (Ex01) so that developers can customize their applications to integrate with the new format. It describes the details, data structures, and algorithms behind Ex01.

          http://www.guidancesoftware.com/DocumentRegistration.aspx?did=1000018246&instant=1

          I can not speak to the accuracy of these statements but to report them to you. I also have not registered to download and evaluate if this documentation is truly a full disclosure or not. I hope someone else could make comment on this subject that would be more qualified to make this call. So I present this follow-up information back to the group for further comment and investigation.

          I can only say that if my first posting is correct, this would be very upsetting to the whole field and disruptive, too.

          Regards,

          Harvey Rothenberg

          Systems Integrator/Security Specialist

          --- On Wed, 4/18/12, Daniel Walton <d.walton@...<mailto:d.walton%40elaw.com.au>> wrote:

          From: Daniel Walton <d.walton@...<mailto:d.walton%40elaw.com.au>>

          Subject: RE: [linux_forensics] EWF and Ex01

          To: "linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>" <linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>>

          Date: Wednesday, April 18, 2012, 8:21 PM

          Doesn't look like it.

          The below is a quote from jbmetz the developer of the libewf toolkit.

          http://sourceforge.net/tracker/index.php?func=detail&aid=3509854&group_id=167783&atid=844315

          Date: 2012-03-21 13:16:11 PDT

          Sender: jbmetz<http://sourceforge.net/users/jbmetz/>[cid:image001.png@01CD1E15.D1DEF9D0<mailto:image001.png%4001CD1E15.D1DEF9D0>]<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=%2F<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=/>>

          Ex01/Lx01 is actually a completely different format, at the lower level.

          Guidance has released part of the format specification.

          For now I lack the time to do anything serious on Ex01.

          Will be hard to implement if Guidance has only released part of the format, this is not an encouraging sign. It may be a Microsoft/Apple like move to use proprietary formats to force others to license their new format as an additional revenue stream.

          It's probably a better idea to encourage Guidance to support the open AFFLIB evidence format. Access Data's Forensic Tool Kit and FTK imager already support it. It would be a lot nicer for us if the commercial forensic software companies supported open formats as well as opening their proprietary formats.

          From: linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com> [mailto:linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>] On Behalf Of Ketil Froyn

          Sent: Wednesday, 18 April 2012 12:16 AM

          To: linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>

          Subject: [linux_forensics] EWF and Ex01

          Anyone know if there is work being done to implement support for

          EnCase v7's new Ex01 file format in libewf or other open source

          libraries? Otherwise I guess all the open source tools will be less

          useful as Ex01 file format adoption increases.

          Cheers, Ketil

          Click here<https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==> to report this email as spam.

          [Non-text portions of this message have been removed]

          <<https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==>https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==>>

          [Non-text portions of this message have been removed]

          [Non-text portions of this message have been removed]

          [Non-text portions of this message have been removed]


          <https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==>



          [Non-text portions of this message have been removed]
        • Harvey Rothenberg
          Len : No, but it depends upon how you look at this. At this same time, I am trying to inform persons that I know and I feel are important to this issue to be
          Message 4 of 13 , May 1, 2012
          View Source
          • 0 Attachment
            Len :

            No, but it depends upon how you look at this. At this same time, I am trying to inform persons that I know and I feel are important to this issue to be informed on what seems to be a very important issue.

            My interest, I believe would be the same as yours, and that is for the historical work already done in Encase to be accessible to the next generation or version(s) of this tool and any other tools.  For the main reason of being able to present the evidence for trial.  I also see the need for existing tools by other publishers to still be able to exchange information and work. 

            The primary interest is being able to get the work done and to be able to employ whatever tools that would be needed to support this effort.  This is where the most important aspect would be being able to exchange these files between tools.  In other words - Standards for consistent exchanging of work between the tools that are used by the community.

            In two hundred words or less,  this is my interest.  I hope others in the community feel the same way.  Do you ?

            Regards,
            Harvey Rothenberg


            --- On Tue, 5/1/12, Len Drinkard <ldrinkard@...> wrote:

            From: Len Drinkard <ldrinkard@...>
            Subject: RE: [linux_forensics] EWF and Ex01 Received Reply from Guidance ....
            To: "'Harvey Rothenberg'" <forensic28sa@...>
            Date: Tuesday, May 1, 2012, 10:34 AM

            Hey Harvey,  Are stirring up the soup againJ  Len  From: Harvey Rothenberg [mailto:forensic28sa@...]
            Sent: Monday, April 30, 2012 4:54 PM
            To: linux_forensics@yahoogroups.com; d.walton@...; eric.zimmerman@...
            Cc: echo6_uk@...; ketil@...; Cindy Murphy; carrier@...; simsong@...
            Subject: BTY: [linux_forensics] EWF and Ex01 Received Reply from Guidance ....  Back To You - All :

            A Mr. Ken Basore from Guidance replied to my posting in another discussion group, here is what he said ( I have added some bolding and other reading enhancements to help in the information's readability ) :

            For clarification, the Ex01 format that Guidance Software introduced in
            Version 7 is an open format, and can be implemented without a license or fee.  Guidance has published the specification for the format, and we have worked with 2 other developers who are currently finishing their own implementation of it.  In working with these developers, we have discovered that there is additional information that may be of help, so we are currently revising the spec to include this information and will publish an update shortly.  In the meantime, if anyone has a question about the spec, we will be happy to answer questions and provide assistance in understanding the changes.

            Guidance Software introduced the changes in our evidence file format to account for additional functionality that we want to provide our users. This includes the ability to encrypt the data area of the file while
            maintaining the ability to verify the file without decrypting, the ability
            to support future HASH algorithms and the ability to support future
            compression algorithms.  The E01 format was created over 10 years ago, and the updated format also has improvements in creation and access speed, provides flexibility in the order that data is written into the file, as well as a better ability to deal with lost or damaged segments.

            If anyone has questions about the new format, please contact us.  As I
            indicated above, the specification is openly available and we will work with any developer that might need additional information in order to implement it.


            =-=-=-=-=-=

            Like Mr. Rosen said, " Thank you for the clarification.  Can you please point me to the published specification? ". 

            I too, Thank You ! especially for the quick response to these previous postings.  I was only just able to receive and review your reply today.

            Mr. Basore, then had another posting with the added information of an overview and stated, " EnCase will continue to support the legacy E01 format, as we know many of our users rely on it.  We also understand that users will need time to test the new format for themselves.  There is no plan to drop support for E01, but we wanted to provide expanded functionality for our users that just is not possible in the legacy format. "

            I understand that there might be concerns about the structure of the new file format, so I have provided below the first few sections of the published Specification that will clarify some of the concerns that there may be.  As I have indicated before, if anyone has any questions about the new format, please feel free to contact us.

            ----Excerpt from "EnCase Evidence File Format Version 2 - Technical Specification" ----

            Overview

            The existing EnCase evidence file has performed well for over a decade. It is court-validated, well-known, and adopted in the industry. Despite its effectiveness, some limitations remain that can only be overcome with an updated evidence file format.
             
            This document outlines the technical details of the updated EnCase evidence file format version 2 (Ex01) so that developers can customize their applications to integrate with the new format. It describes the details, data structures, and algorithms behind Ex01.

            The intended audience of this document is a technical reader with a forensic background and familiarity with C-style binary structure layout and algorithms.

            Comparison of E01 and Ex01 Formats

            Many of the central design principles of the E01 format have been retained; implementers familiar with the E01 structure will find the Ex01 format similar.  The Ex01 format still stores data in blocks that are verified with an individual 32-bit CRC, and all of the source data stored in the file is hashed with the MD5 and/or SHA-1 algorithms if requested by the user.  The Ex01 enhancements do not affect features of the file such as these that many courts have relied on to rule that the file is an accepted container of original evidence; the additions merely facilitate the ability to track and handle new characteristics of the stored data.

            Ex01 Capabilities

            The new Ex01 format introduces the following capabilities:Support for encryption of the data.Ability to use different compression algorithms. Improved support for multi-threaded acquisitions, where sectors can be out of order.Efficient storage and handling of sector blocks that are filled with the same pattern (such as 00-byte fills).Alignment considerations to improve efficiency and performance.Improved support for resuming acquisitions.Internal improvements of the data structures.
            While some of this new functionality is not yet fully leveraged in the current version, all necessary data is stored, the data structures support expansions, and subsequent versions will use this new format to its fullest.
            ----End excerpt

            Ken Basore | Sr. Vice President, R&D | Guidance Software, Inc.
            215 N. Marengo Ave., 2nd Floor | Pasadena, CA  91101
            Phone: 626-229-9191 | Fax: 626-229-9199
            Ken.Basore@...  |  www.GuidanceSoftware.com


            I have join the SourceForge and I will present this information to "jbmetz" as soon as my login is enable. So, Mr. Walton will not have to forward this information, unless he wishes to.  I will post it as a comment to this specific request for his library.

            I am happy to have helped all in this specific concern for the digital forensic community.

            Regards,

            Harvey Rothenberg
            Systems Integrator/Security Specialist

            --- On Fri, 4/27/12, Echo6 <echo6_uk@...> wrote:
            From: Echo6 <echo6_uk@...>
            Subject: Re: [linux_forensics] EWF and Ex01
            To: "linux_forensics@yahoogroups.com" <linux_forensics@yahoogroups.com>, "forensic28sa@..." <forensic28sa@...>
            Date: Friday, April 27, 2012, 5:51 AM  They (GSI) have made a white paper available on the new format for download from their web site and support portal

            http://www.guidancesoftware.com/DocumentRegistration.aspx?did=1000018246

            EnCase® Evidence File Format Version 2 - Technical Specification

            Jon.

            ________________________________
            From: Daniel Walton <d.walton@...>
            To: "forensic28sa@..." <forensic28sa@...>
            Cc: "linux_forensics@yahoogroups.com" <linux_forensics@yahoogroups.com>
            Sent: Thursday, April 26, 2012 11:34 PM
            Subject: Re: [linux_forensics] EWF and Ex01


             
            Great news. Look forward to seeing it implemented.

            Sent from Samsung Mobile

            -------- Original message --------
            Subject: BTY: [linux_forensics] EWF and Ex01
            From: Harvey Rothenberg <forensic28sa@...>
            To: Daniel Walton <d.walton@...>
            CC: "linux_forensics@yahoogroups.com" <linux_forensics@yahoogroups.com>

            Back to You:
            Daniel,

            --- On Wed, 4/25/12, Daniel Walton <d.walton@...> wrote:

            From: Daniel Walton <d.walton@...>
            Subject: RE: [linux_forensics] EWF and Ex01
            To: "Harvey Rothenberg" <forensic28sa@...>
            Date: Wednesday, April 25, 2012, 8:06 PM

            Hi Harvey

            Can your friend provide sources for his claim that the Ex01 format is open sourced?

            My friend replied with, " I have been told repeatedly by Guidance Software employees that the new standard is being released openly so anyone can implement it. "

            If that’s the case then we the community can collaborate on the future growth of this format, although I would be surprised I haven’t found anything saying anything like that.

            Sadly the link you gave me is the same link that JBMetz comments on in the sourceforge forum post I forwarded.

            If you click on the link below and go have a look you will see it’s the same link which JBMetz is asked about.

            I downloaded it and had a look; it’s only 11 pages long and seems a little sparse considering its purpose. It would be a positive sign for Guidance if they have released the full specification allowing others to re-implement the format in their software.

            My friend is also a programmer and he feels, " It appears to be all the details needed, it’s just not very clearly written. But a strong C++ programmer could likely make sense of it. Unless there is more documentation coming….

            I would inject that maybe the author of this document assumed a certain level of capabilities and wrote for that audience. Usually if you want a community to support an effort, you write for more of a beginner's audience for your work to surely to be understood.

            Regards,

            Harvey Rothenberg

            http://sourceforge.net/tracker/index.php?func=detail&aid=3509854&group_id=167783&atid=844315
            <quote>
            Date: 2012-03-21 13:16:11 PDT
            Sender: jbmetz<http://sourceforge.net/users/jbmetz/>[cid:image001.png@01CD1E15.D1DEF9D0]<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=%2F<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=/>>

            Ex01/Lx01 is actually a completely different format, at the lower level.
            Guidance has released part of the format specification.

            For now I lack the time to do anything serious on Ex01.
            Will be hard to implement if Guidance has only released part of the format, this is not an encouraging sign. It may be a Microsoft/Apple like move to use proprietary formats to force others to license their new format as an additional revenue stream.

            </quote>

            From: Harvey Rothenberg [mailto:forensic28sa@...]
            Sent: Thursday, 26 April 2012 5:09 AM
            To: linux_forensics@yahoogroups.com
            Cc: Daniel Walton; simsong@...; carrier@...; cmurphy@...
            Subject: BTY: [linux_forensics] EWF and Ex01

            Back To You:

            Mr. Daniel Walton,

            I agree with your last statement whole heartily, but Guidance is very much into the software business, now. ( ... better idea to encourage Guidance to support the open AFFLIB evidence format. Access Data ... already support it. )

            In an effort to keep the members of the group fully informed and reporting as the information is learned, I present the following :

            The developer of libewf - "jbmetz" stated below, that "... Guidance has only released part of the format ...". I would like to bring to the attention of jbmetz and yourself, that a friend investigator has brought to my attention that this seems to be not quite correct. He believes that this documentation is FULL available AND open sourced. I present the following to this Group and the public, this link to the download link :

            EnCase Evidence File Format Version 2

            This document outlines the technical details of the updated EnCase® evidence file format version 2 (Ex01) so that developers can customize their applications to integrate with the new format. It describes the details, data structures, and algorithms behind Ex01.

            http://www.guidancesoftware.com/DocumentRegistration.aspx?did=1000018246&instant=1

            I can not speak to the accuracy of these statements but to report them to you. I also have not registered to download and evaluate if this documentation is truly a full disclosure or not. I hope someone else could make comment on this subject that would be more qualified to make this call. So I present this follow-up information back to the group for further comment and investigation.

            I can only say that if my first posting is correct, this would be very upsetting to the whole field and disruptive, too.

            Regards,
            Harvey Rothenberg
            Systems Integrator/Security Specialist

            --- On Wed, 4/18/12, Daniel Walton <d.walton@...> wrote:

            From: Daniel Walton <d.walton@...>
            Subject: RE: [linux_forensics] EWF and Ex01
            To: "linux_forensics@yahoogroups.com" <linux_forensics@yahoogroups.com>
            Date: Wednesday, April 18, 2012, 8:21 PM

            Doesn't look like it.
            The below is a quote from jbmetz the developer of the libewf toolkit.

            http://sourceforge.net/tracker/index.php?func=detail&aid=3509854&group_id=167783&atid=844315

            Date: 2012-03-21 13:16:11 PDT
            Sender: jbmetz<http://sourceforge.net/users/jbmetz/>[cid:image001.png@01CD1E15.D1DEF9D0]<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=%2F<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=/>>

            Ex01/Lx01 is actually a completely different format, at the lower level.
            Guidance has released part of the format specification.

            For now I lack the time to do anything serious on Ex01.
            Will be hard to implement if Guidance has only released part of the format, this is not an encouraging sign. It may be a Microsoft/Apple like move to use proprietary formats to force others to license their new format as an additional revenue stream.

            It's probably a better idea to encourage Guidance to support the open AFFLIB evidence format. Access Data's Forensic Tool Kit and FTK imager already support it. It would be a lot nicer for us if the commercial forensic software companies supported open formats as well as opening their proprietary formats.

            From: linux_forensics@yahoogroups.com [mailto:linux_forensics@yahoogroups.com] On Behalf Of Ketil Froyn
            Sent: Wednesday, 18 April 2012 12:16 AM
            To: linux_forensics@yahoogroups.com
            Subject: [linux_forensics] EWF and Ex01

            Anyone know if there is work being done to implement support for
            EnCase v7's new Ex01 file format in libewf or other open source
            libraries? Otherwise I guess all the open source tools will be less
            useful as Ex01 file format adoption increases.

            Cheers, Ketil

            Click here<https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg== to report this email as spam.

            [Non-text portions of this message have been removed]

            <https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==>

            [Non-text portions of this message have been removed]

            [Non-text portions of this message have been removed]  

            [Non-text portions of this message have been removed]
          • Daniel Walton
            I agree. We need open formats, so that access to evidence isn’t limited by proprietary forensic tools. If only Guidance and Xway’s added support for AFFLIB
            Message 5 of 13 , May 1, 2012
            View Source
            • 0 Attachment
              I agree.
              We need open formats, so that access to evidence isn’t limited by proprietary forensic tools.

              If only Guidance and Xway’s added support for AFFLIB to their tools.

              We are lucky that tools like ewflib have been created so that there is open access to .E01 files which makes this format more open.
              Before that I had to export raw DD images from .E01’s so that I could use other tools on the evidence (e.g. photorec , sleuthkit … etc) or access the evidence under Linux.

              ### This is a Linux forensics forum so the openness of evidence formats is vital. ###

              Word for example is quite bad for its support of the .doc format. Word files have quite mixed results when opening with different versions of word.



              From: linux_forensics@yahoogroups.com [mailto:linux_forensics@yahoogroups.com] On Behalf Of Harvey Rothenberg
              Sent: Wednesday, 2 May 2012 4:50 AM
              To: Len Drinkard
              Cc: linux_forensics@yahoogroups.com
              Subject: [linux_forensics] RE: EWF and Ex01 Received Reply from Guidance ....



              Len :

              No, but it depends upon how you look at this. At this same time, I am trying to inform persons that I know and I feel are important to this issue to be informed on what seems to be a very important issue.

              My interest, I believe would be the same as yours, and that is for the historical work already done in Encase to be accessible to the next generation or version(s) of this tool and any other tools. For the main reason of being able to present the evidence for trial. I also see the need for existing tools by other publishers to still be able to exchange information and work.

              The primary interest is being able to get the work done and to be able to employ whatever tools that would be needed to support this effort. This is where the most important aspect would be being able to exchange these files between tools. In other words - Standards for consistent exchanging of work between the tools that are used by the community.

              In two hundred words or less, this is my interest. I hope others in the community feel the same way. Do you ?

              Regards,
              Harvey Rothenberg

              --- On Tue, 5/1/12, Len Drinkard <ldrinkard@...<mailto:ldrinkard%40neo.rr.com>> wrote:

              From: Len Drinkard <ldrinkard@...<mailto:ldrinkard%40neo.rr.com>>
              Subject: RE: [linux_forensics] EWF and Ex01 Received Reply from Guidance ....
              To: "'Harvey Rothenberg'" <forensic28sa@...<mailto:forensic28sa%40yahoo.com>>
              Date: Tuesday, May 1, 2012, 10:34 AM

              Hey Harvey, Are stirring up the soup againJ Len From: Harvey Rothenberg [mailto:forensic28sa@...<mailto:forensic28sa%40yahoo.com>]
              Sent: Monday, April 30, 2012 4:54 PM
              To: linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>; d.walton@...<mailto:d.walton%40elaw.com.au>; eric.zimmerman@...<mailto:eric.zimmerman%40ic.fbi.gov>
              Cc: echo6_uk@...<mailto:echo6_uk%40yahoo.com>; ketil@...<mailto:ketil%40froyn.name>; Cindy Murphy; carrier@...<mailto:carrier%40digital-evidence.org>; simsong@...<mailto:simsong%40acm.org>
              Subject: BTY: [linux_forensics] EWF and Ex01 Received Reply from Guidance .... Back To You - All :

              A Mr. Ken Basore from Guidance replied to my posting in another discussion group, here is what he said ( I have added some bolding and other reading enhancements to help in the information's readability ) :

              For clarification, the Ex01 format that Guidance Software introduced in
              Version 7 is an open format, and can be implemented without a license or fee. Guidance has published the specification for the format, and we have worked with 2 other developers who are currently finishing their own implementation of it. In working with these developers, we have discovered that there is additional information that may be of help, so we are currently revising the spec to include this information and will publish an update shortly. In the meantime, if anyone has a question about the spec, we will be happy to answer questions and provide assistance in understanding the changes.

              Guidance Software introduced the changes in our evidence file format to account for additional functionality that we want to provide our users. This includes the ability to encrypt the data area of the file while
              maintaining the ability to verify the file without decrypting, the ability
              to support future HASH algorithms and the ability to support future
              compression algorithms. The E01 format was created over 10 years ago, and the updated format also has improvements in creation and access speed, provides flexibility in the order that data is written into the file, as well as a better ability to deal with lost or damaged segments.

              If anyone has questions about the new format, please contact us. As I
              indicated above, the specification is openly available and we will work with any developer that might need additional information in order to implement it.

              =-=-=-=-=-=

              Like Mr. Rosen said, " Thank you for the clarification. Can you please point me to the published specification? ".

              I too, Thank You ! especially for the quick response to these previous postings. I was only just able to receive and review your reply today.

              Mr. Basore, then had another posting with the added information of an overview and stated, " EnCase will continue to support the legacy E01 format, as we know many of our users rely on it. We also understand that users will need time to test the new format for themselves. There is no plan to drop support for E01, but we wanted to provide expanded functionality for our users that just is not possible in the legacy format. "

              I understand that there might be concerns about the structure of the new file format, so I have provided below the first few sections of the published Specification that will clarify some of the concerns that there may be. As I have indicated before, if anyone has any questions about the new format, please feel free to contact us.

              ----Excerpt from "EnCase Evidence File Format Version 2 - Technical Specification" ----

              Overview

              The existing EnCase evidence file has performed well for over a decade. It is court-validated, well-known, and adopted in the industry. Despite its effectiveness, some limitations remain that can only be overcome with an updated evidence file format.

              This document outlines the technical details of the updated EnCase evidence file format version 2 (Ex01) so that developers can customize their applications to integrate with the new format. It describes the details, data structures, and algorithms behind Ex01.

              The intended audience of this document is a technical reader with a forensic background and familiarity with C-style binary structure layout and algorithms.

              Comparison of E01 and Ex01 Formats

              Many of the central design principles of the E01 format have been retained; implementers familiar with the E01 structure will find the Ex01 format similar. The Ex01 format still stores data in blocks that are verified with an individual 32-bit CRC, and all of the source data stored in the file is hashed with the MD5 and/or SHA-1 algorithms if requested by the user. The Ex01 enhancements do not affect features of the file such as these that many courts have relied on to rule that the file is an accepted container of original evidence; the additions merely facilitate the ability to track and handle new characteristics of the stored data.

              Ex01 Capabilities

              The new Ex01 format introduces the following capabilities:Support for encryption of the data.Ability to use different compression algorithms. Improved support for multi-threaded acquisitions, where sectors can be out of order.Efficient storage and handling of sector blocks that are filled with the same pattern (such as 00-byte fills).Alignment considerations to improve efficiency and performance.Improved support for resuming acquisitions.Internal improvements of the data structures.
              While some of this new functionality is not yet fully leveraged in the current version, all necessary data is stored, the data structures support expansions, and subsequent versions will use this new format to its fullest.
              ----End excerpt

              Ken Basore | Sr. Vice President, R&D | Guidance Software, Inc.
              215 N. Marengo Ave., 2nd Floor | Pasadena, CA 91101
              Phone: 626-229-9191 | Fax: 626-229-9199
              Ken.Basore@...<mailto:Ken.Basore%40GuidanceSoftware.com> | www.GuidanceSoftware.com<http://www.GuidanceSoftware.com>

              I have join the SourceForge and I will present this information to "jbmetz" as soon as my login is enable. So, Mr. Walton will not have to forward this information, unless he wishes to. I will post it as a comment to this specific request for his library.

              I am happy to have helped all in this specific concern for the digital forensic community.

              Regards,

              Harvey Rothenberg
              Systems Integrator/Security Specialist

              --- On Fri, 4/27/12, Echo6 <echo6_uk@...<mailto:echo6_uk%40yahoo.com>> wrote:
              From: Echo6 <echo6_uk@...<mailto:echo6_uk%40yahoo.com>>
              Subject: Re: [linux_forensics] EWF and Ex01
              To: "linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>" <linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>>, "forensic28sa@...<mailto:forensic28sa%40yahoo.com>" <forensic28sa@...<mailto:forensic28sa%40yahoo.com>>
              Date: Friday, April 27, 2012, 5:51 AM They (GSI) have made a white paper available on the new format for download from their web site and support portal

              http://www.guidancesoftware.com/DocumentRegistration.aspx?did=1000018246

              EnCase® Evidence File Format Version 2 - Technical Specification

              Jon.

              ________________________________
              From: Daniel Walton <d.walton@...<mailto:d.walton%40elaw.com.au>>
              To: "forensic28sa@...<mailto:forensic28sa%40yahoo.com>" <forensic28sa@...<mailto:forensic28sa%40yahoo.com>>
              Cc: "linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>" <linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>>
              Sent: Thursday, April 26, 2012 11:34 PM
              Subject: Re: [linux_forensics] EWF and Ex01


              Great news. Look forward to seeing it implemented.

              Sent from Samsung Mobile

              -------- Original message --------
              Subject: BTY: [linux_forensics] EWF and Ex01
              From: Harvey Rothenberg <forensic28sa@...<mailto:forensic28sa%40yahoo.com>>
              To: Daniel Walton <d.walton@...<mailto:d.walton%40elaw.com.au>>
              CC: "linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>" <linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>>

              Back to You:
              Daniel,

              --- On Wed, 4/25/12, Daniel Walton <d.walton@...<mailto:d.walton%40elaw.com.au>> wrote:

              From: Daniel Walton <d.walton@...<mailto:d.walton%40elaw.com.au>>
              Subject: RE: [linux_forensics] EWF and Ex01
              To: "Harvey Rothenberg" <forensic28sa@...<mailto:forensic28sa%40yahoo.com>>
              Date: Wednesday, April 25, 2012, 8:06 PM

              Hi Harvey

              Can your friend provide sources for his claim that the Ex01 format is open sourced?

              My friend replied with, " I have been told repeatedly by Guidance Software employees that the new standard is being released openly so anyone can implement it. "

              If that’s the case then we the community can collaborate on the future growth of this format, although I would be surprised I haven’t found anything saying anything like that.

              Sadly the link you gave me is the same link that JBMetz comments on in the sourceforge forum post I forwarded.

              If you click on the link below and go have a look you will see it’s the same link which JBMetz is asked about.

              I downloaded it and had a look; it’s only 11 pages long and seems a little sparse considering its purpose. It would be a positive sign for Guidance if they have released the full specification allowing others to re-implement the format in their software.

              My friend is also a programmer and he feels, " It appears to be all the details needed, it’s just not very clearly written. But a strong C++ programmer could likely make sense of it. Unless there is more documentation coming….

              I would inject that maybe the author of this document assumed a certain level of capabilities and wrote for that audience. Usually if you want a community to support an effort, you write for more of a beginner's audience for your work to surely to be understood.

              Regards,

              Harvey Rothenberg

              http://sourceforge.net/tracker/index.php?func=detail&aid=3509854&group_id=167783&atid=844315
              <quote>
              Date: 2012-03-21 13:16:11 PDT
              Sender: jbmetz<http://sourceforge.net/users/jbmetz/>[cid:image001.png@01CD1E15.D1DEF9D0<mailto:image001.png%4001CD1E15.D1DEF9D0>]<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=%2F<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=/>>

              Ex01/Lx01 is actually a completely different format, at the lower level.
              Guidance has released part of the format specification.

              For now I lack the time to do anything serious on Ex01.
              Will be hard to implement if Guidance has only released part of the format, this is not an encouraging sign. It may be a Microsoft/Apple like move to use proprietary formats to force others to license their new format as an additional revenue stream.

              </quote>

              From: Harvey Rothenberg [mailto:forensic28sa@...<mailto:forensic28sa%40yahoo.com>]
              Sent: Thursday, 26 April 2012 5:09 AM
              To: linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>
              Cc: Daniel Walton; simsong@...<mailto:simsong%40acm.org>; carrier@...<mailto:carrier%40digital-evidence.org>; cmurphy@...<mailto:cmurphy%40cityofmadison.com>
              Subject: BTY: [linux_forensics] EWF and Ex01

              Back To You:

              Mr. Daniel Walton,

              I agree with your last statement whole heartily, but Guidance is very much into the software business, now. ( ... better idea to encourage Guidance to support the open AFFLIB evidence format. Access Data ... already support it. )

              In an effort to keep the members of the group fully informed and reporting as the information is learned, I present the following :

              The developer of libewf - "jbmetz" stated below, that "... Guidance has only released part of the format ...". I would like to bring to the attention of jbmetz and yourself, that a friend investigator has brought to my attention that this seems to be not quite correct. He believes that this documentation is FULL available AND open sourced. I present the following to this Group and the public, this link to the download link :

              EnCase Evidence File Format Version 2

              This document outlines the technical details of the updated EnCase® evidence file format version 2 (Ex01) so that developers can customize their applications to integrate with the new format. It describes the details, data structures, and algorithms behind Ex01.

              http://www.guidancesoftware.com/DocumentRegistration.aspx?did=1000018246&instant=1

              I can not speak to the accuracy of these statements but to report them to you. I also have not registered to download and evaluate if this documentation is truly a full disclosure or not. I hope someone else could make comment on this subject that would be more qualified to make this call. So I present this follow-up information back to the group for further comment and investigation.

              I can only say that if my first posting is correct, this would be very upsetting to the whole field and disruptive, too.

              Regards,
              Harvey Rothenberg
              Systems Integrator/Security Specialist

              --- On Wed, 4/18/12, Daniel Walton <d.walton@...<mailto:d.walton%40elaw.com.au>> wrote:

              From: Daniel Walton <d.walton@...<mailto:d.walton%40elaw.com.au>>
              Subject: RE: [linux_forensics] EWF and Ex01
              To: "linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>" <linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>>
              Date: Wednesday, April 18, 2012, 8:21 PM

              Doesn't look like it.
              The below is a quote from jbmetz the developer of the libewf toolkit.

              http://sourceforge.net/tracker/index.php?func=detail&aid=3509854&group_id=167783&atid=844315

              Date: 2012-03-21 13:16:11 PDT
              Sender: jbmetz<http://sourceforge.net/users/jbmetz/>[cid:image001.png@01CD1E15.D1DEF9D0<mailto:image001.png%4001CD1E15.D1DEF9D0>]<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=%2F<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=/>>

              Ex01/Lx01 is actually a completely different format, at the lower level.
              Guidance has released part of the format specification.

              For now I lack the time to do anything serious on Ex01.
              Will be hard to implement if Guidance has only released part of the format, this is not an encouraging sign. It may be a Microsoft/Apple like move to use proprietary formats to force others to license their new format as an additional revenue stream.

              It's probably a better idea to encourage Guidance to support the open AFFLIB evidence format. Access Data's Forensic Tool Kit and FTK imager already support it. It would be a lot nicer for us if the commercial forensic software companies supported open formats as well as opening their proprietary formats.

              From: linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com> [mailto:linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>] On Behalf Of Ketil Froyn
              Sent: Wednesday, 18 April 2012 12:16 AM
              To: linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>
              Subject: [linux_forensics] EWF and Ex01

              Anyone know if there is work being done to implement support for
              EnCase v7's new Ex01 file format in libewf or other open source
              libraries? Otherwise I guess all the open source tools will be less
              useful as Ex01 file format adoption increases.

              Cheers, Ketil

              Click here<https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==> to report this email as spam.

              [Non-text portions of this message have been removed]

              <<https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==>https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==>>

              [Non-text portions of this message have been removed]

              [Non-text portions of this message have been removed]

              [Non-text portions of this message have been removed]


              <https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==>



              [Non-text portions of this message have been removed]
            • Simson Garfinkel
              It certainly sounds to me like Guidance has made Ex01 an open format. If it is more efficient than AFF4 and if there is an open source implementation, we
              Message 6 of 13 , May 1, 2012
              View Source
              • 0 Attachment
                It certainly sounds to me like Guidance has made Ex01 an open format. If it is more efficient than AFF4 and if there is an open source implementation, we should use it. I only wish that Guidance was maintaining the open source implementation, or that they would open source theirs.

                Simson

                On May 1, 2012, at 7:14 PM, Daniel Walton wrote:

                > I agree.
                > We need open formats, so that access to evidence isn�t limited by proprietary forensic tools.
                >
                > If only Guidance and Xway�s added support for AFFLIB to their tools.
                >
                > We are lucky that tools like ewflib have been created so that there is open access to .E01 files which makes this format more open.
                > Before that I had to export raw DD images from .E01�s so that I could use other tools on the evidence (e.g. photorec , sleuthkit � etc) or access the evidence under Linux.
                >
                > ### This is a Linux forensics forum so the openness of evidence formats is vital. ###
                >
                > Word for example is quite bad for its support of the .doc format. Word files have quite mixed results when opening with different versions of word.
                >
                >
                >
                > From: linux_forensics@yahoogroups.com [mailto:linux_forensics@yahoogroups.com] On Behalf Of Harvey Rothenberg
                > Sent: Wednesday, 2 May 2012 4:50 AM
                > To: Len Drinkard
                > Cc: linux_forensics@yahoogroups.com
                > Subject: [linux_forensics] RE: EWF and Ex01 Received Reply from Guidance ....
                >
                >
                >
                > Len :
                >
                > No, but it depends upon how you look at this. At this same time, I am trying to inform persons that I know and I feel are important to this issue to be informed on what seems to be a very important issue.
                >
                > My interest, I believe would be the same as yours, and that is for the historical work already done in Encase to be accessible to the next generation or version(s) of this tool and any other tools. For the main reason of being able to present the evidence for trial. I also see the need for existing tools by other publishers to still be able to exchange information and work.
                >
                > The primary interest is being able to get the work done and to be able to employ whatever tools that would be needed to support this effort. This is where the most important aspect would be being able to exchange these files between tools. In other words - Standards for consistent exchanging of work between the tools that are used by the community.
                >
                > In two hundred words or less, this is my interest. I hope others in the community feel the same way. Do you ?
                >
                > Regards,
                > Harvey Rothenberg
                >
                > --- On Tue, 5/1/12, Len Drinkard <ldrinkard@...<mailto:ldrinkard%40neo.rr.com>> wrote:
                >
                > From: Len Drinkard <ldrinkard@...<mailto:ldrinkard%40neo.rr.com>>
                > Subject: RE: [linux_forensics] EWF and Ex01 Received Reply from Guidance ....
                > To: "'Harvey Rothenberg'" <forensic28sa@...<mailto:forensic28sa%40yahoo.com>>
                > Date: Tuesday, May 1, 2012, 10:34 AM
                >
                > Hey Harvey, Are stirring up the soup againJ Len From: Harvey Rothenberg [mailto:forensic28sa@...<mailto:forensic28sa%40yahoo.com>]
                > Sent: Monday, April 30, 2012 4:54 PM
                > To: linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>; d.walton@...<mailto:d.walton%40elaw.com.au>; eric.zimmerman@...<mailto:eric.zimmerman%40ic.fbi.gov>
                > Cc: echo6_uk@...<mailto:echo6_uk%40yahoo.com>; ketil@...<mailto:ketil%40froyn.name>; Cindy Murphy; carrier@...<mailto:carrier%40digital-evidence.org>; simsong@...<mailto:simsong%40acm.org>
                > Subject: BTY: [linux_forensics] EWF and Ex01 Received Reply from Guidance .... Back To You - All :
                >
                > A Mr. Ken Basore from Guidance replied to my posting in another discussion group, here is what he said ( I have added some bolding and other reading enhancements to help in the information's readability ) :
                >
                > For clarification, the Ex01 format that Guidance Software introduced in
                > Version 7 is an open format, and can be implemented without a license or fee. Guidance has published the specification for the format, and we have worked with 2 other developers who are currently finishing their own implementation of it. In working with these developers, we have discovered that there is additional information that may be of help, so we are currently revising the spec to include this information and will publish an update shortly. In the meantime, if anyone has a question about the spec, we will be happy to answer questions and provide assistance in understanding the changes.
                >
                > Guidance Software introduced the changes in our evidence file format to account for additional functionality that we want to provide our users. This includes the ability to encrypt the data area of the file while
                > maintaining the ability to verify the file without decrypting, the ability
                > to support future HASH algorithms and the ability to support future
                > compression algorithms. The E01 format was created over 10 years ago, and the updated format also has improvements in creation and access speed, provides flexibility in the order that data is written into the file, as well as a better ability to deal with lost or damaged segments.
                >
                > If anyone has questions about the new format, please contact us. As I
                > indicated above, the specification is openly available and we will work with any developer that might need additional information in order to implement it.
                >
                > =-=-=-=-=-=
                >
                > Like Mr. Rosen said, " Thank you for the clarification. Can you please point me to the published specification? ".
                >
                > I too, Thank You ! especially for the quick response to these previous postings. I was only just able to receive and review your reply today.
                >
                > Mr. Basore, then had another posting with the added information of an overview and stated, " EnCase will continue to support the legacy E01 format, as we know many of our users rely on it. We also understand that users will need time to test the new format for themselves. There is no plan to drop support for E01, but we wanted to provide expanded functionality for our users that just is not possible in the legacy format. "
                >
                > I understand that there might be concerns about the structure of the new file format, so I have provided below the first few sections of the published Specification that will clarify some of the concerns that there may be. As I have indicated before, if anyone has any questions about the new format, please feel free to contact us.
                >
                > ----Excerpt from "EnCase Evidence File Format Version 2 - Technical Specification" ----
                >
                > Overview
                >
                > The existing EnCase evidence file has performed well for over a decade. It is court-validated, well-known, and adopted in the industry. Despite its effectiveness, some limitations remain that can only be overcome with an updated evidence file format.
                >
                > This document outlines the technical details of the updated EnCase evidence file format version 2 (Ex01) so that developers can customize their applications to integrate with the new format. It describes the details, data structures, and algorithms behind Ex01.
                >
                > The intended audience of this document is a technical reader with a forensic background and familiarity with C-style binary structure layout and algorithms.
                >
                > Comparison of E01 and Ex01 Formats
                >
                > Many of the central design principles of the E01 format have been retained; implementers familiar with the E01 structure will find the Ex01 format similar. The Ex01 format still stores data in blocks that are verified with an individual 32-bit CRC, and all of the source data stored in the file is hashed with the MD5 and/or SHA-1 algorithms if requested by the user. The Ex01 enhancements do not affect features of the file such as these that many courts have relied on to rule that the file is an accepted container of original evidence; the additions merely facilitate the ability to track and handle new characteristics of the stored data.
                >
                > Ex01 Capabilities
                >
                > The new Ex01 format introduces the following capabilities:Support for encryption of the data.Ability to use different compression algorithms. Improved support for multi-threaded acquisitions, where sectors can be out of order.Efficient storage and handling of sector blocks that are filled with the same pattern (such as 00-byte fills).Alignment considerations to improve efficiency and performance.Improved support for resuming acquisitions.Internal improvements of the data structures.
                > While some of this new functionality is not yet fully leveraged in the current version, all necessary data is stored, the data structures support expansions, and subsequent versions will use this new format to its fullest.
                > ----End excerpt
                >
                > Ken Basore | Sr. Vice President, R&D | Guidance Software, Inc.
                > 215 N. Marengo Ave., 2nd Floor | Pasadena, CA 91101
                > Phone: 626-229-9191 | Fax: 626-229-9199
                > Ken.Basore@...<mailto:Ken.Basore%40GuidanceSoftware.com> | www.GuidanceSoftware.com<http://www.GuidanceSoftware.com>
                >
                > I have join the SourceForge and I will present this information to "jbmetz" as soon as my login is enable. So, Mr. Walton will not have to forward this information, unless he wishes to. I will post it as a comment to this specific request for his library.
                >
                > I am happy to have helped all in this specific concern for the digital forensic community.
                >
                > Regards,
                >
                > Harvey Rothenberg
                > Systems Integrator/Security Specialist
                >
                > --- On Fri, 4/27/12, Echo6 <echo6_uk@...<mailto:echo6_uk%40yahoo.com>> wrote:
                > From: Echo6 <echo6_uk@...<mailto:echo6_uk%40yahoo.com>>
                > Subject: Re: [linux_forensics] EWF and Ex01
                > To: "linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>" <linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>>, "forensic28sa@...<mailto:forensic28sa%40yahoo.com>" <forensic28sa@...<mailto:forensic28sa%40yahoo.com>>
                > Date: Friday, April 27, 2012, 5:51 AM They (GSI) have made a white paper available on the new format for download from their web site and support portal
                >
                > http://www.guidancesoftware.com/DocumentRegistration.aspx?did=1000018246
                >
                > EnCase� Evidence File Format Version 2 - Technical Specification
                >
                > Jon.
                >
                > ________________________________
                > From: Daniel Walton <d.walton@...<mailto:d.walton%40elaw.com.au>>
                > To: "forensic28sa@...<mailto:forensic28sa%40yahoo.com>" <forensic28sa@...<mailto:forensic28sa%40yahoo.com>>
                > Cc: "linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>" <linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>>
                > Sent: Thursday, April 26, 2012 11:34 PM
                > Subject: Re: [linux_forensics] EWF and Ex01
                >
                >
                > Great news. Look forward to seeing it implemented.
                >
                > Sent from Samsung Mobile
                >
                > -------- Original message --------
                > Subject: BTY: [linux_forensics] EWF and Ex01
                > From: Harvey Rothenberg <forensic28sa@...<mailto:forensic28sa%40yahoo.com>>
                > To: Daniel Walton <d.walton@...<mailto:d.walton%40elaw.com.au>>
                > CC: "linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>" <linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>>
                >
                > Back to You:
                > Daniel,
                >
                > --- On Wed, 4/25/12, Daniel Walton <d.walton@...<mailto:d.walton%40elaw.com.au>> wrote:
                >
                > From: Daniel Walton <d.walton@...<mailto:d.walton%40elaw.com.au>>
                > Subject: RE: [linux_forensics] EWF and Ex01
                > To: "Harvey Rothenberg" <forensic28sa@...<mailto:forensic28sa%40yahoo.com>>
                > Date: Wednesday, April 25, 2012, 8:06 PM
                >
                > Hi Harvey
                >
                > Can your friend provide sources for his claim that the Ex01 format is open sourced?
                >
                > My friend replied with, " I have been told repeatedly by Guidance Software employees that the new standard is being released openly so anyone can implement it. "
                >
                > If that�s the case then we the community can collaborate on the future growth of this format, although I would be surprised I haven�t found anything saying anything like that.
                >
                > Sadly the link you gave me is the same link that JBMetz comments on in the sourceforge forum post I forwarded.
                >
                > If you click on the link below and go have a look you will see it�s the same link which JBMetz is asked about.
                >
                > I downloaded it and had a look; it�s only 11 pages long and seems a little sparse considering its purpose. It would be a positive sign for Guidance if they have released the full specification allowing others to re-implement the format in their software.
                >
                > My friend is also a programmer and he feels, " It appears to be all the details needed, it�s just not very clearly written. But a strong C++ programmer could likely make sense of it. Unless there is more documentation coming�.
                >
                > I would inject that maybe the author of this document assumed a certain level of capabilities and wrote for that audience. Usually if you want a community to support an effort, you write for more of a beginner's audience for your work to surely to be understood.
                >
                > Regards,
                >
                > Harvey Rothenberg
                >
                > http://sourceforge.net/tracker/index.php?func=detail&aid=3509854&group_id=167783&atid=844315
                > <quote>
                > Date: 2012-03-21 13:16:11 PDT
                > Sender: jbmetz<http://sourceforge.net/users/jbmetz/>[cid:image001.png@01CD1E15.D1DEF9D0<mailto:image001.png%4001CD1E15.D1DEF9D0>]<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=%2F<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=/>>
                >
                > Ex01/Lx01 is actually a completely different format, at the lower level.
                > Guidance has released part of the format specification.
                >
                > For now I lack the time to do anything serious on Ex01.
                > Will be hard to implement if Guidance has only released part of the format, this is not an encouraging sign. It may be a Microsoft/Apple like move to use proprietary formats to force others to license their new format as an additional revenue stream.
                >
                > </quote>
                >
                > From: Harvey Rothenberg [mailto:forensic28sa@...<mailto:forensic28sa%40yahoo.com>]
                > Sent: Thursday, 26 April 2012 5:09 AM
                > To: linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>
                > Cc: Daniel Walton; simsong@...<mailto:simsong%40acm.org>; carrier@...<mailto:carrier%40digital-evidence.org>; cmurphy@...<mailto:cmurphy%40cityofmadison.com>
                > Subject: BTY: [linux_forensics] EWF and Ex01
                >
                > Back To You:
                >
                > Mr. Daniel Walton,
                >
                > I agree with your last statement whole heartily, but Guidance is very much into the software business, now. ( ... better idea to encourage Guidance to support the open AFFLIB evidence format. Access Data ... already support it. )
                >
                > In an effort to keep the members of the group fully informed and reporting as the information is learned, I present the following :
                >
                > The developer of libewf - "jbmetz" stated below, that "... Guidance has only released part of the format ...". I would like to bring to the attention of jbmetz and yourself, that a friend investigator has brought to my attention that this seems to be not quite correct. He believes that this documentation is FULL available AND open sourced. I present the following to this Group and the public, this link to the download link :
                >
                > EnCase Evidence File Format Version 2
                >
                > This document outlines the technical details of the updated EnCase� evidence file format version 2 (Ex01) so that developers can customize their applications to integrate with the new format. It describes the details, data structures, and algorithms behind Ex01.
                >
                > http://www.guidancesoftware.com/DocumentRegistration.aspx?did=1000018246&instant=1
                >
                > I can not speak to the accuracy of these statements but to report them to you. I also have not registered to download and evaluate if this documentation is truly a full disclosure or not. I hope someone else could make comment on this subject that would be more qualified to make this call. So I present this follow-up information back to the group for further comment and investigation.
                >
                > I can only say that if my first posting is correct, this would be very upsetting to the whole field and disruptive, too.
                >
                > Regards,
                > Harvey Rothenberg
                > Systems Integrator/Security Specialist
                >
                > --- On Wed, 4/18/12, Daniel Walton <d.walton@...<mailto:d.walton%40elaw.com.au>> wrote:
                >
                > From: Daniel Walton <d.walton@...<mailto:d.walton%40elaw.com.au>>
                > Subject: RE: [linux_forensics] EWF and Ex01
                > To: "linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>" <linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>>
                > Date: Wednesday, April 18, 2012, 8:21 PM
                >
                > Doesn't look like it.
                > The below is a quote from jbmetz the developer of the libewf toolkit.
                >
                > http://sourceforge.net/tracker/index.php?func=detail&aid=3509854&group_id=167783&atid=844315
                >
                > Date: 2012-03-21 13:16:11 PDT
                > Sender: jbmetz<http://sourceforge.net/users/jbmetz/>[cid:image001.png@01CD1E15.D1DEF9D0<mailto:image001.png%4001CD1E15.D1DEF9D0>]<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=%2F<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=/>>
                >
                > Ex01/Lx01 is actually a completely different format, at the lower level.
                > Guidance has released part of the format specification.
                >
                > For now I lack the time to do anything serious on Ex01.
                > Will be hard to implement if Guidance has only released part of the format, this is not an encouraging sign. It may be a Microsoft/Apple like move to use proprietary formats to force others to license their new format as an additional revenue stream.
                >
                > It's probably a better idea to encourage Guidance to support the open AFFLIB evidence format. Access Data's Forensic Tool Kit and FTK imager already support it. It would be a lot nicer for us if the commercial forensic software companies supported open formats as well as opening their proprietary formats.
                >
                > From: linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com> [mailto:linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>] On Behalf Of Ketil Froyn
                > Sent: Wednesday, 18 April 2012 12:16 AM
                > To: linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>
                > Subject: [linux_forensics] EWF and Ex01
                >
                > Anyone know if there is work being done to implement support for
                > EnCase v7's new Ex01 file format in libewf or other open source
                > libraries? Otherwise I guess all the open source tools will be less
                > useful as Ex01 file format adoption increases.
                >
                > Cheers, Ketil
                >
                > Click here<https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==> to report this email as spam.
                >
                > [Non-text portions of this message have been removed]
                >
                > <<https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==>https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==>>
                >
                > [Non-text portions of this message have been removed]
                >
                > [Non-text portions of this message have been removed]
                >
                > [Non-text portions of this message have been removed]
                >
                >
                > <https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==>
                >
                >
                > [Non-text portions of this message have been removed]
                >
                >



                [Non-text portions of this message have been removed]
              • David Kovar
                Greetings, Access to the evidence isn t limited by proprietary forensic tools. The people collecting evidence can either use another tool to do the collection,
                Message 7 of 13 , May 1, 2012
                View Source
                • 0 Attachment
                  Greetings,

                  Access to the evidence isn't limited by proprietary forensic tools. The people collecting evidence can either use another tool to do the collection, use Guidance's tool to collect into a different format, or recollect the existing image into one other people can use without a current EnCase license.

                  What benefit is there to Guidance to support AFFLIB? What benefit is there to Guidance's stockholders to support it? If you can make a sound financial case for that support, then you might get somewhere.

                  -David

                  On May 1, 2012, at 7:14 PM, Daniel Walton wrote:

                  > I agree.
                  > We need open formats, so that access to evidence isn�t limited by proprietary forensic tools.
                  >
                  > If only Guidance and Xway�s added support for AFFLIB to their tools.
                  >
                  > We are lucky that tools like ewflib have been created so that there is open access to .E01 files which makes this format more open.
                  > Before that I had to export raw DD images from .E01�s so that I could use other tools on the evidence (e.g. photorec , sleuthkit � etc) or access the evidence under Linux.
                  >
                  > ### This is a Linux forensics forum so the openness of evidence formats is vital. ###
                  >
                  > Word for example is quite bad for its support of the .doc format. Word files have quite mixed results when opening with different versions of word.
                  >
                  >
                  >
                  > From: linux_forensics@yahoogroups.com [mailto:linux_forensics@yahoogroups.com] On Behalf Of Harvey Rothenberg
                  > Sent: Wednesday, 2 May 2012 4:50 AM
                  > To: Len Drinkard
                  > Cc: linux_forensics@yahoogroups.com
                  > Subject: [linux_forensics] RE: EWF and Ex01 Received Reply from Guidance ....
                  >
                  >
                  >
                  > Len :
                  >
                  > No, but it depends upon how you look at this. At this same time, I am trying to inform persons that I know and I feel are important to this issue to be informed on what seems to be a very important issue.
                  >
                  > My interest, I believe would be the same as yours, and that is for the historical work already done in Encase to be accessible to the next generation or version(s) of this tool and any other tools. For the main reason of being able to present the evidence for trial. I also see the need for existing tools by other publishers to still be able to exchange information and work.
                  >
                  > The primary interest is being able to get the work done and to be able to employ whatever tools that would be needed to support this effort. This is where the most important aspect would be being able to exchange these files between tools. In other words - Standards for consistent exchanging of work between the tools that are used by the community.
                  >
                  > In two hundred words or less, this is my interest. I hope others in the community feel the same way. Do you ?
                  >
                  > Regards,
                  > Harvey Rothenberg
                  >
                  > --- On Tue, 5/1/12, Len Drinkard <ldrinkard@...<mailto:ldrinkard%40neo.rr.com>> wrote:
                  >
                  > From: Len Drinkard <ldrinkard@...<mailto:ldrinkard%40neo.rr.com>>
                  > Subject: RE: [linux_forensics] EWF and Ex01 Received Reply from Guidance ....
                  > To: "'Harvey Rothenberg'" <forensic28sa@...<mailto:forensic28sa%40yahoo.com>>
                  > Date: Tuesday, May 1, 2012, 10:34 AM
                  >
                  > Hey Harvey, Are stirring up the soup againJ Len From: Harvey Rothenberg [mailto:forensic28sa@...<mailto:forensic28sa%40yahoo.com>]
                  > Sent: Monday, April 30, 2012 4:54 PM
                  > To: linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>; d.walton@...<mailto:d.walton%40elaw.com.au>; eric.zimmerman@...<mailto:eric.zimmerman%40ic.fbi.gov>
                  > Cc: echo6_uk@...<mailto:echo6_uk%40yahoo.com>; ketil@...<mailto:ketil%40froyn.name>; Cindy Murphy; carrier@...<mailto:carrier%40digital-evidence.org>; simsong@...<mailto:simsong%40acm.org>
                  > Subject: BTY: [linux_forensics] EWF and Ex01 Received Reply from Guidance .... Back To You - All :
                  >
                  > A Mr. Ken Basore from Guidance replied to my posting in another discussion group, here is what he said ( I have added some bolding and other reading enhancements to help in the information's readability ) :
                  >
                  > For clarification, the Ex01 format that Guidance Software introduced in
                  > Version 7 is an open format, and can be implemented without a license or fee. Guidance has published the specification for the format, and we have worked with 2 other developers who are currently finishing their own implementation of it. In working with these developers, we have discovered that there is additional information that may be of help, so we are currently revising the spec to include this information and will publish an update shortly. In the meantime, if anyone has a question about the spec, we will be happy to answer questions and provide assistance in understanding the changes.
                  >
                  > Guidance Software introduced the changes in our evidence file format to account for additional functionality that we want to provide our users. This includes the ability to encrypt the data area of the file while
                  > maintaining the ability to verify the file without decrypting, the ability
                  > to support future HASH algorithms and the ability to support future
                  > compression algorithms. The E01 format was created over 10 years ago, and the updated format also has improvements in creation and access speed, provides flexibility in the order that data is written into the file, as well as a better ability to deal with lost or damaged segments.
                  >
                  > If anyone has questions about the new format, please contact us. As I
                  > indicated above, the specification is openly available and we will work with any developer that might need additional information in order to implement it.
                  >
                  > =-=-=-=-=-=
                  >
                  > Like Mr. Rosen said, " Thank you for the clarification. Can you please point me to the published specification? ".
                  >
                  > I too, Thank You ! especially for the quick response to these previous postings. I was only just able to receive and review your reply today.
                  >
                  > Mr. Basore, then had another posting with the added information of an overview and stated, " EnCase will continue to support the legacy E01 format, as we know many of our users rely on it. We also understand that users will need time to test the new format for themselves. There is no plan to drop support for E01, but we wanted to provide expanded functionality for our users that just is not possible in the legacy format. "
                  >
                  > I understand that there might be concerns about the structure of the new file format, so I have provided below the first few sections of the published Specification that will clarify some of the concerns that there may be. As I have indicated before, if anyone has any questions about the new format, please feel free to contact us.
                  >
                  > ----Excerpt from "EnCase Evidence File Format Version 2 - Technical Specification" ----
                  >
                  > Overview
                  >
                  > The existing EnCase evidence file has performed well for over a decade. It is court-validated, well-known, and adopted in the industry. Despite its effectiveness, some limitations remain that can only be overcome with an updated evidence file format.
                  >
                  > This document outlines the technical details of the updated EnCase evidence file format version 2 (Ex01) so that developers can customize their applications to integrate with the new format. It describes the details, data structures, and algorithms behind Ex01.
                  >
                  > The intended audience of this document is a technical reader with a forensic background and familiarity with C-style binary structure layout and algorithms.
                  >
                  > Comparison of E01 and Ex01 Formats
                  >
                  > Many of the central design principles of the E01 format have been retained; implementers familiar with the E01 structure will find the Ex01 format similar. The Ex01 format still stores data in blocks that are verified with an individual 32-bit CRC, and all of the source data stored in the file is hashed with the MD5 and/or SHA-1 algorithms if requested by the user. The Ex01 enhancements do not affect features of the file such as these that many courts have relied on to rule that the file is an accepted container of original evidence; the additions merely facilitate the ability to track and handle new characteristics of the stored data.
                  >
                  > Ex01 Capabilities
                  >
                  > The new Ex01 format introduces the following capabilities:Support for encryption of the data.Ability to use different compression algorithms. Improved support for multi-threaded acquisitions, where sectors can be out of order.Efficient storage and handling of sector blocks that are filled with the same pattern (such as 00-byte fills).Alignment considerations to improve efficiency and performance.Improved support for resuming acquisitions.Internal improvements of the data structures.
                  > While some of this new functionality is not yet fully leveraged in the current version, all necessary data is stored, the data structures support expansions, and subsequent versions will use this new format to its fullest.
                  > ----End excerpt
                  >
                  > Ken Basore | Sr. Vice President, R&D | Guidance Software, Inc.
                  > 215 N. Marengo Ave., 2nd Floor | Pasadena, CA 91101
                  > Phone: 626-229-9191 | Fax: 626-229-9199
                  > Ken.Basore@...<mailto:Ken.Basore%40GuidanceSoftware.com> | www.GuidanceSoftware.com<http://www.GuidanceSoftware.com>
                  >
                  > I have join the SourceForge and I will present this information to "jbmetz" as soon as my login is enable. So, Mr. Walton will not have to forward this information, unless he wishes to. I will post it as a comment to this specific request for his library.
                  >
                  > I am happy to have helped all in this specific concern for the digital forensic community.
                  >
                  > Regards,
                  >
                  > Harvey Rothenberg
                  > Systems Integrator/Security Specialist
                  >
                  > --- On Fri, 4/27/12, Echo6 <echo6_uk@...<mailto:echo6_uk%40yahoo.com>> wrote:
                  > From: Echo6 <echo6_uk@...<mailto:echo6_uk%40yahoo.com>>
                  > Subject: Re: [linux_forensics] EWF and Ex01
                  > To: "linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>" <linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>>, "forensic28sa@...<mailto:forensic28sa%40yahoo.com>" <forensic28sa@...<mailto:forensic28sa%40yahoo.com>>
                  > Date: Friday, April 27, 2012, 5:51 AM They (GSI) have made a white paper available on the new format for download from their web site and support portal
                  >
                  > http://www.guidancesoftware.com/DocumentRegistration.aspx?did=1000018246
                  >
                  > EnCase� Evidence File Format Version 2 - Technical Specification
                  >
                  > Jon.
                  >
                  > ________________________________
                  > From: Daniel Walton <d.walton@...<mailto:d.walton%40elaw.com.au>>
                  > To: "forensic28sa@...<mailto:forensic28sa%40yahoo.com>" <forensic28sa@...<mailto:forensic28sa%40yahoo.com>>
                  > Cc: "linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>" <linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>>
                  > Sent: Thursday, April 26, 2012 11:34 PM
                  > Subject: Re: [linux_forensics] EWF and Ex01
                  >
                  >
                  > Great news. Look forward to seeing it implemented.
                  >
                  > Sent from Samsung Mobile
                  >
                  > -------- Original message --------
                  > Subject: BTY: [linux_forensics] EWF and Ex01
                  > From: Harvey Rothenberg <forensic28sa@...<mailto:forensic28sa%40yahoo.com>>
                  > To: Daniel Walton <d.walton@...<mailto:d.walton%40elaw.com.au>>
                  > CC: "linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>" <linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>>
                  >
                  > Back to You:
                  > Daniel,
                  >
                  > --- On Wed, 4/25/12, Daniel Walton <d.walton@...<mailto:d.walton%40elaw.com.au>> wrote:
                  >
                  > From: Daniel Walton <d.walton@...<mailto:d.walton%40elaw.com.au>>
                  > Subject: RE: [linux_forensics] EWF and Ex01
                  > To: "Harvey Rothenberg" <forensic28sa@...<mailto:forensic28sa%40yahoo.com>>
                  > Date: Wednesday, April 25, 2012, 8:06 PM
                  >
                  > Hi Harvey
                  >
                  > Can your friend provide sources for his claim that the Ex01 format is open sourced?
                  >
                  > My friend replied with, " I have been told repeatedly by Guidance Software employees that the new standard is being released openly so anyone can implement it. "
                  >
                  > If that�s the case then we the community can collaborate on the future growth of this format, although I would be surprised I haven�t found anything saying anything like that.
                  >
                  > Sadly the link you gave me is the same link that JBMetz comments on in the sourceforge forum post I forwarded.
                  >
                  > If you click on the link below and go have a look you will see it�s the same link which JBMetz is asked about.
                  >
                  > I downloaded it and had a look; it�s only 11 pages long and seems a little sparse considering its purpose. It would be a positive sign for Guidance if they have released the full specification allowing others to re-implement the format in their software.
                  >
                  > My friend is also a programmer and he feels, " It appears to be all the details needed, it�s just not very clearly written. But a strong C++ programmer could likely make sense of it. Unless there is more documentation coming�.
                  >
                  > I would inject that maybe the author of this document assumed a certain level of capabilities and wrote for that audience. Usually if you want a community to support an effort, you write for more of a beginner's audience for your work to surely to be understood.
                  >
                  > Regards,
                  >
                  > Harvey Rothenberg
                  >
                  > http://sourceforge.net/tracker/index.php?func=detail&aid=3509854&group_id=167783&atid=844315
                  > <quote>
                  > Date: 2012-03-21 13:16:11 PDT
                  > Sender: jbmetz<http://sourceforge.net/users/jbmetz/>[cid:image001.png@01CD1E15.D1DEF9D0<mailto:image001.png%4001CD1E15.D1DEF9D0>]<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=%2F<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=/>>
                  >
                  > Ex01/Lx01 is actually a completely different format, at the lower level.
                  > Guidance has released part of the format specification.
                  >
                  > For now I lack the time to do anything serious on Ex01.
                  > Will be hard to implement if Guidance has only released part of the format, this is not an encouraging sign. It may be a Microsoft/Apple like move to use proprietary formats to force others to license their new format as an additional revenue stream.
                  >
                  > </quote>
                  >
                  > From: Harvey Rothenberg [mailto:forensic28sa@...<mailto:forensic28sa%40yahoo.com>]
                  > Sent: Thursday, 26 April 2012 5:09 AM
                  > To: linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>
                  > Cc: Daniel Walton; simsong@...<mailto:simsong%40acm.org>; carrier@...<mailto:carrier%40digital-evidence.org>; cmurphy@...<mailto:cmurphy%40cityofmadison.com>
                  > Subject: BTY: [linux_forensics] EWF and Ex01
                  >
                  > Back To You:
                  >
                  > Mr. Daniel Walton,
                  >
                  > I agree with your last statement whole heartily, but Guidance is very much into the software business, now. ( ... better idea to encourage Guidance to support the open AFFLIB evidence format. Access Data ... already support it. )
                  >
                  > In an effort to keep the members of the group fully informed and reporting as the information is learned, I present the following :
                  >
                  > The developer of libewf - "jbmetz" stated below, that "... Guidance has only released part of the format ...". I would like to bring to the attention of jbmetz and yourself, that a friend investigator has brought to my attention that this seems to be not quite correct. He believes that this documentation is FULL available AND open sourced. I present the following to this Group and the public, this link to the download link :
                  >
                  > EnCase Evidence File Format Version 2
                  >
                  > This document outlines the technical details of the updated EnCase� evidence file format version 2 (Ex01) so that developers can customize their applications to integrate with the new format. It describes the details, data structures, and algorithms behind Ex01.
                  >
                  > http://www.guidancesoftware.com/DocumentRegistration.aspx?did=1000018246&instant=1
                  >
                  > I can not speak to the accuracy of these statements but to report them to you. I also have not registered to download and evaluate if this documentation is truly a full disclosure or not. I hope someone else could make comment on this subject that would be more qualified to make this call. So I present this follow-up information back to the group for further comment and investigation.
                  >
                  > I can only say that if my first posting is correct, this would be very upsetting to the whole field and disruptive, too.
                  >
                  > Regards,
                  > Harvey Rothenberg
                  > Systems Integrator/Security Specialist
                  >
                  > --- On Wed, 4/18/12, Daniel Walton <d.walton@...<mailto:d.walton%40elaw.com.au>> wrote:
                  >
                  > From: Daniel Walton <d.walton@...<mailto:d.walton%40elaw.com.au>>
                  > Subject: RE: [linux_forensics] EWF and Ex01
                  > To: "linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>" <linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>>
                  > Date: Wednesday, April 18, 2012, 8:21 PM
                  >
                  > Doesn't look like it.
                  > The below is a quote from jbmetz the developer of the libewf toolkit.
                  >
                  > http://sourceforge.net/tracker/index.php?func=detail&aid=3509854&group_id=167783&atid=844315
                  >
                  > Date: 2012-03-21 13:16:11 PDT
                  > Sender: jbmetz<http://sourceforge.net/users/jbmetz/>[cid:image001.png@01CD1E15.D1DEF9D0<mailto:image001.png%4001CD1E15.D1DEF9D0>]<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=%2F<http://sourceforge.net/help/icon_legend.php?context=group_admin&uname=jbmetz&this_group=167783&return_to=/>>
                  >
                  > Ex01/Lx01 is actually a completely different format, at the lower level.
                  > Guidance has released part of the format specification.
                  >
                  > For now I lack the time to do anything serious on Ex01.
                  > Will be hard to implement if Guidance has only released part of the format, this is not an encouraging sign. It may be a Microsoft/Apple like move to use proprietary formats to force others to license their new format as an additional revenue stream.
                  >
                  > It's probably a better idea to encourage Guidance to support the open AFFLIB evidence format. Access Data's Forensic Tool Kit and FTK imager already support it. It would be a lot nicer for us if the commercial forensic software companies supported open formats as well as opening their proprietary formats.
                  >
                  > From: linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com> [mailto:linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>] On Behalf Of Ketil Froyn
                  > Sent: Wednesday, 18 April 2012 12:16 AM
                  > To: linux_forensics@yahoogroups.com<mailto:linux_forensics%40yahoogroups.com>
                  > Subject: [linux_forensics] EWF and Ex01
                  >
                  > Anyone know if there is work being done to implement support for
                  > EnCase v7's new Ex01 file format in libewf or other open source
                  > libraries? Otherwise I guess all the open source tools will be less
                  > useful as Ex01 file format adoption increases.
                  >
                  > Cheers, Ketil
                  >
                  > Click here<https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==> to report this email as spam.
                  >
                  > [Non-text portions of this message have been removed]
                  >
                  > <<https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==>https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==>>
                  >
                  > [Non-text portions of this message have been removed]
                  >
                  > [Non-text portions of this message have been removed]
                  >
                  > [Non-text portions of this message have been removed]
                  >
                  >
                  > <https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==>
                  >
                  >
                  > [Non-text portions of this message have been removed]
                  >
                  >



                  [Non-text portions of this message have been removed]
                Your message has been successfully submitted and would be delivered to recipients shortly.