Forensic Image Formats - BenWare-FED/Notes-for-df-analysis GitHub Wiki

Most common

-Raw images(dd)

-EnCase EWF(EO1)

-FTK SMART

-The Advanced Forensic Format(AFF)

Raw Images

bit-for-bit copy from the evidence source. Same size as the source of the evidence. No additional metadata about the image file contained within the file.

Downsides

-No Cryptographic hashing

-Almost no error handling

-No logging

-performance enhancements(Compression)

-Verification checking

-No progress monitoring

EnCase EWF(Expert Witness Format)

-Supports features such as metadata, compression, encryption, hashing and split files.

-Forensic file formats are sometimes called evidence containers.

-DD hash will not match EO1 hash

-E01 images will never have matching hashes due to metadata such as timestamps

How to verify if they are the same

-Check the txt file, the computed hashes will be the same as it is just the evidence.

FTK SMART

Proprietary format from AccessData

Closer to EO1 than DD

AFF

Includes all expected features with additional encryption

open-source

Extra notes

Partition table: tracks that start and stop of partitions in a partition. Basically a quick reference.