Order now, get quotes

Upgrade online
 
Products
 
Find out more about X-Ways Forensics X-Ways Forensics
Integrated computer forensics software
 
Find out more about X-Ways Investigator X-Ways Investigator
Investigator version of X-Ways Forensics
 
Find out more about WinHex! WinHex
Hex editor, disk editor, RAM editor
 
Find out more about X-Ways Imager X-Ways Imager
Disk imaging
 
Find out more about X-Ways Capture X-Ways Capture
Seize evidence
 
Find out more about X-Ways Trace X-Ways Trace
User activity
 
Find out more about Davory Davory
Data recovery
 
Find out more about X-Ways Security X-Ways Security
Permanent erasure
 
Services
 
Training
 

 
Contact X-Ways Contact X-Ways
User forum
 
Corporate info Corporate info
Find us on Facebook Find us on Facebook
  X-Ways Software Technology AG
Deutsch
 
 

Evidence File Containers

Overview

Evidence file containers are logical images that contain only selected files. They are used either for acquisition as a substitute for a conventional forensically sound image (in cases where only some files are needed and a full sector-wise image would be overkill) or to share selected files with other examiners, investigators, lawyers, prosecutors, the opposing party etc. etc. Evidence file containers can be created by X-Ways Forensics and X-Ways Investigator. They are designed to preserve as much metadata as possible, see below. Comparison with skeleton images and cleansed images.

Containers are initially raw images with a special file system (XWFS2), and they can be converted to .e01 evidence file format. The information on this page is about the new container format used by v16.3 and later. It is as universal as it gets and can be understood by 3rd party forensic tools with in depth file system support out of the box or with little additional effort.

Basic Metadata

List:

  • filename
  • path
  • logical file size
  • valid data length
  • ordinary Windows world attributes
  • existing or deleted
  • creation date
  • modification date
  • last access date
  • last record update date
  • hard link count
  • examiner classifications (report table associations)
  • examiner comments

Basic metadata and file contents in evidence file containers are understood by:

  • EnCase 5
  • EnCase 6
  • EnCase 7
  • MountImage Pro 4 (first add image, then mount file system)
  • WinHex 12.5 and later, with a specialist license or higher
  • X-Ways Forensics 12.5 and later
  • X-Ways Investigator all versions

Advanced Metadata

List:

  • detailed deletion status (existing, previously existing, moved/renamed, partially overwritten, original contents assured despite deletion)
  • original file system file ID
  • original file system data structure offset
  • deletion date, internal creation date
  • UNIX/Linux permissions/file modes
  • compression/encryption status
  • classification as NTFS alternate data stream
  • classification as HFS[+] resource fork
  • classification as reparse point
  • classification as found in volume shadow copy
  • classification as file slack
  • classification as file excerpt
  • classification as video still
  • classification as manually attached
  • classification as virtual object
  • classification as e-mail message
  • classification as e-mail attachment
  • classification as misc. Outlook data
  • advanced attributes such as "has attachment", "unread e-mail", "has object ID“
  • sender and recipients for extracted or processed e-mail
  • skin color percentage and number of pixels (for pictures)
  • true file type
  • file name/file type mismatch status
  • owner ID
  • hash value
  • hash category
  • case ID
  • evidence object ID
  • volume snapshot ID

Advanced metadata are understood by

  • WinHex 16.3 and later, with a specialist license or higher
  • X-Ways Forensics 16.3 and later
  • X-Ways Investigator 16.3 and later
  • X-Ways Investigator CTR 16.3 and later