X-Ways
·.·. Computer forensics software made in Germany .·.·
   
 

Evidence File Containers

Overview

Evidence file containers are logical images that contain only selected files and preserve these files with practically all their external metadata. They are used either for acquisition as a substitute for a conventional forensically sound image (in cases where only some files are needed and a full sector-wise image would be overkill) or to share selected files with other examiners, investigators, lawyers, prosecutors, the opposing party etc. etc. Evidence file containers can be created by X-Ways Forensics and X-Ways Investigator. Comparison with skeleton images and cleansed images.

Containers are initially raw images with a special file system (XWFS2). They can be converted to .e01 evidence file format. However, that does not change any file system data structures stored in the sectors and make the file system in the image somehow "more compatible", as some users seem to expect. Please understand that the format of the outer image is separate from the format of the data in the inner sectors.

The information on this page is about the new container format used by v16.3 and later. It is as universal as it gets and can be understood by 3rd party forensic tools with in-depth file system support out of the box or with little additional effort.

Note

Containers are designed to preserve as much metadata of the included files as possible, see below. Evidence file containers can even transport only the external metadata of files, without the file contents, if that is desired by the creator of the container, and then such files will be marked as "metadata only" and still show the original file size (which is also external metadata) while file contents are not available from the container. This concept is not known from ordinary file systems, and some recipients of containers apparently find it disturbing, reporting back to us that when they copy a file with a size of > 0 off the container they get a copy of the file with a size of 0 bytes = no data, as if that was an error.

Evidence file containers can even transported only a selected range of data within a file (from offset x to offset y), in which case the file in the container will be marked as an excerpt. And the creator can choose whether or not include the original path of a file in the container, completely or partially, and then the parent directories can either keep their own file system data or not (e.g. INDX buffers in NTFS) if desired (e.g. not desirable if the creator does not wish to reveal external metadata from other files that in the original evidence object reside in the same directory to the recipient of the container).

In short: As always, users of X-Ways Forensics have the maximum amount of control over what data they analyze and share, and the recipient of an evidence file container should absolutely realize that the whole point of such a container is to encapsulate a selected subset of the original data.

Basic Metadata

List:

  • filename
  • path
  • logical file size
  • valid data length
  • ordinary Windows world attributes
  • existing or deleted
  • creation date
  • modification date
  • last access date
  • last record update date
  • hard link count
  • examiner classifications (report table associations)
  • examiner comments

Basic metadata and file contents in evidence file containers are understood by:

  • EnCase 5 and later
  • MountImage Pro 4 and later (first add image, then mount file system)
  • Belkasoft Evidence Center 6.3 and later
  • WinHex 12.5 and later, with a specialist license or higher
  • WinHex 18.5 and later with any kind of license or without (containers with no more than 1000 objects), and in WinHex 18.6 such containers can also be mounted as a drive letter (install Dokan first)
  • X-Ways Forensics 12.5 and later
  • X-Ways Investigator all versions
  • ?

Advanced Metadata

List:

  • detailed deletion status (existing, previously existing, moved/renamed, partially overwritten, original contents assured despite deletion)
  • original file system file ID
  • original file system data structure offset
  • deletion date, internal creation date
  • UNIX/Linux permissions/file modes
  • compression/encryption status
  • classification as NTFS alternate data stream
  • classification as HFS[+] resource fork
  • classification as reparse point
  • classification as found in volume shadow copy
  • classification as file slack
  • classification as file excerpt
  • classification as video still
  • classification as manually attached
  • classification as virtual object
  • classification as e-mail message
  • classification as e-mail attachment
  • classification as misc. Outlook data
  • advanced attributes such as "has attachment", "unread e-mail", "has object ID“
  • sender and recipients for extracted or processed e-mail
  • skin color percentage and number of pixels (for pictures)
  • true file type
  • file name/file type mismatch status
  • owner ID
  • hash value
  • hash category
  • PhotoDNA category
  • case ID
  • evidence object ID
  • volume snapshot ID

Advanced metadata are generally understood by

  • WinHex 16.3 and later, with a specialist license or higher
  • X-Ways Forensics 16.3 and later
  • X-Ways Investigator 16.3 and later
  • X-Ways Investigator CTR 16.3 and later

(All advanced metadata only by the latest version.)