search

libyal / libewf

Libewf is a library to access the Expert Witness Compression Format (EWF)
GNU Lesser General Public License v3.0
264 stars 76 forks source link

Customizable in EWF format #142

Closed korkic123 closed 4 years ago

korkic123 commented 4 years ago

Hello I am asking you a question because I am not good at English and I cannot read your EWF specification properly. The EWF format (.E01) was discovered that differences exist between Forensics imaging tools (EnCase, FTK, TX1...).

I want to know if it is customizable or what part is customizable. Thanks.

joachimmetz commented 4 years ago

I would recommend getting help from someone that can make the translation for you. There are several parts that can be "customized". There are several parts that are handled differently by implementations. This a very broad question, do you have a specific context in mind?

korkic123 commented 4 years ago

Thank you for your response. That's very kind of you :)

Whether it is possible to put custom data in a header or footer except in the data area. Custom data means "ID Number+Character+Value". This is not part of the EWF document you wrote.

When I put this custom data into an EWF image file (.E01), is it automatically recognized by existing digital forensics tools, or is it only possible when there is an update to my format in digital forensics tools?

Even if I don't recognize my custom data, is there any problem loading the EWF image file (.E01) from the digital forensics tool?

joachimmetz commented 4 years ago

Whether it is possible to put custom data in a header or footer except in the data area.

Yes this is possible an example of this is the xheader section.

When I put this custom data into an EWF image file (.E01), is it automatically recognized by existing digital forensics tools

No, this is not compatible with other implementations. Other implementations do not understand your additions to the format.

Even if I don't recognize my custom data, is there any problem loading the EWF image file (.E01) from the digital forensics tool?

Depends on how you do it but e.g. adding an xheader and/or xhash section creates compatible E01 files with additional information. However this additional information is not understood by these.

korkic123 commented 4 years ago

Thank you very much. I'll refer to that part. I don't know what time it is there, but have a good day!