·.·. Computer forensics software made in Germany .·.·

Evidence File Containers


Evidence file containers are logical images that contain only selected files and preserve these files with practically all their external metadata. They are used either for acquisition as a substitute for a conventional forensically sound image (in cases where only some files are needed and a full sector-wise image would be overkill) or to share selected files with other examiners, investigators, lawyers, prosecutors, the opposing party etc. etc. Evidence file containers can be created by X-Ways Forensics and X-Ways Investigator. Comparison with skeleton images and cleansed images.

Containers are initially raw images with a special file system (XWFS2). They can be converted to .e01 evidence file format. However, that does not change any file system data stored in the sectors and make the file system in the image somehow "more compatible", as some users seem to expect.) They are designed to preserve as much metadata as possible, see below. Evidence file containers can even transport only the metadata of files without the file contents if that is desired, and still show the original file size (a concept not known from ordinary file systems, which some users apparently find disturbing).

The information on this page is about the new container format used by v16.3 and later. It is as universal as it gets and can be understood by 3rd party forensic tools with in-depth file system support out of the box or with little additional effort.

Basic Metadata


  • filename
  • path
  • logical file size
  • valid data length
  • ordinary Windows world attributes
  • existing or deleted
  • creation date
  • modification date
  • last access date
  • last record update date
  • hard link count
  • examiner classifications (report table associations)
  • examiner comments

Basic metadata and file contents in evidence file containers are understood by:

  • EnCase 5 (!) and later
  • MountImage Pro 4 and later (first add image, then mount file system)
  • Belkasoft Evidence Center 6.3 and later
  • WinHex 12.5 and later, with a specialist license or higher
  • WinHex 18.5 and later with any kind of license or without (containers with no more than 1000 objects), and in WinHex 18.6 such containers can also be mounted as a drive letter (install Dokan first)
  • X-Ways Forensics 12.5 and later
  • X-Ways Investigator all versions

Advanced Metadata


  • detailed deletion status (existing, previously existing, moved/renamed, partially overwritten, original contents assured despite deletion)
  • original file system file ID
  • original file system data structure offset
  • deletion date, internal creation date
  • UNIX/Linux permissions/file modes
  • compression/encryption status
  • classification as NTFS alternate data stream
  • classification as HFS[+] resource fork
  • classification as reparse point
  • classification as found in volume shadow copy
  • classification as file slack
  • classification as file excerpt
  • classification as video still
  • classification as manually attached
  • classification as virtual object
  • classification as e-mail message
  • classification as e-mail attachment
  • classification as misc. Outlook data
  • advanced attributes such as "has attachment", "unread e-mail", "has object ID“
  • sender and recipients for extracted or processed e-mail
  • skin color percentage and number of pixels (for pictures)
  • true file type
  • file name/file type mismatch status
  • owner ID
  • hash value
  • hash category
  • PhotoDNA category
  • case ID
  • evidence object ID
  • volume snapshot ID

Advanced metadata are generally understood by

  • WinHex 16.3 and later, with a specialist license or higher
  • X-Ways Forensics 16.3 and later
  • X-Ways Investigator 16.3 and later
  • X-Ways Investigator CTR 16.3 and later

(All advanced metadata only by the latest version.)