Expert Witness Compression Format (EWF).pdf

EWF specification

Expert Witness Compression Format specification

By Joachim Metz <jbmetz@users.sourceforge.net>

Summary

EWF is short for Expert Witness Compression Format, according to [ASR02]. It is a file type used

to store media images for forensic purposes. It is currently widely used in the field of computer

forensics in proprietary tooling like EnCase en FTK. The original specification of the format is

provided by ASRDATA, for the SMART application.

Document information

Author(s): Joachim Metz <jbmetz@users.sourceforge.net>

Abstract: This document contains the EWF file format specification.

Permission is granted to copy, distribute and/or modify this document under

the terms of the GNU Free Documentation License, Version 1.3 or any later

version published by the Free Software Foundation; with no Invariant Sections,

no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is

included in the section entitled "GNU Free Documentation License".

Version

Version Author Date Comments

0.0.1 J.B. Metz March 7, 2006 Initial version

0.0.2 J.B. Metz March 12, 2006 Additional information.

0.0.3 J.B. Metz March 13, 2006 Additional information.

0.0.9 J.B. Metz March 20, 2006 Additional information, regarding chunk and compression,

offset array CRC and error2 section.

0.0.10 J.B. Metz March 22, 2006 Correction regarding EnCase 3 and compression MSB.

0.0.11 J.B. Metz March 25, 2006 Additions regarding EnCase 2.

0.0.12 J.B. Metz March 27, 2006 Small changes regarding unknown in volume and data.

Removed some spelling errors. Added the information

regarding when a chunk is compressed or not.

0.0.13 J.B. Metz April 1, 2006 Additions regarding EnCase 1.

0.0.14 J.B. Metz April 5, 2006 Additions regarding endian.

0.0.15 J.B. Metz April 10, 2006 Additions regarding disk section.

FTK Imager. Corrected error about gzip compression in header

section.

0.0.21 J.B. Metz August 18, 2006 Added information regarding SMART format generated by

FTK Imager.

0.0.22 J.B. Metz August 22, 2006 Added information about segment file extension naming.

0.0.23 J.B. Metz September 8, 2006 Added information about EWF-L01 (LVF) format.

0.0.24 J.B. Metz September 22, 2006 Added information from EWF-L01 analysis.

0.0.25 J.B. Metz September 25, 2006 Changes after comments by Guy Voncken.

0.0.26 J.B. Metz October 12, 2006 Corrected error regarding EnCase 1 and SMART header

specification.

the sectors section.

0.0.31 J.B. Metz November 29, 2006 Additional information about the EnCase linen 5 (EWF-E01)

format.

0.0.32 J.B. Metz December 6, 2006 Additional information about GUID.

0.0.33 J.B. Metz December 16, 2006 Corrected error regarding header sections in EnCase 1 format.

0.0.34 J.B. Metz December 23, 2006 Added new information regarding the table section after

encountering a bug in FTK for EWF files with more than 16 *

1024 offset table entries.

0.0.35 J.B. Metz December 25, 2006 Corrected misinterpretation of original specifications,

regarding additional table sections.

0.0.41 J.B. Metz August 28, 2007 Added information about EnCase 6.7 >2Gb segment file

support.

0.0.42 J.B. Metz August 29, 2007 Added information about EnCase 6.7 >2Gb segment file

support and CD/DVD image session sector.

0.0.43 J.B. Metz September 5, 2007 Added information about EnCase 6.7 >2Gb segment file

support.

0.0.44 J.B. Metz September 15, 2007 Added page numbers.

0.0.45 J.B. Metz November 23, 2007 Added information about session section.

0.0.46 J.B. Metz March 10, 2008 Added information about session section.

0.0.47 J.B. Metz March 18, 2008 Added information about EnCase 6 >2GiB segment file format.

support.

0.0.53 J.B. Metz November 22,2009 Small changes.

0.0.54 J.B. Metz December 24, 2009

Added information about ltree section.

0.0.55 J.B. Metz January 10, 2010 Update for linen 6.12 and later.

0.0.56 J.B. Metz May 2, 2010 Corrected amount of into number of.

Email change

0.0.59 J.B. Metz October 2010 Additional session section information with thanks to M. Nohr

Minor changes.

Updated some tables to the newer format.

0.0.61 J.B. Metz December 2010 License version update

Additional information about optical discs.

Additional information about AD encryption.

0.0.62 J.B. Metz January 2011 Minor changes

0.0.63 J.B. Metz February 2011 Additional audio tracks information with thanks to M. Nohr

0.0.64 J.B. Metz May 2011 Changes to FTK imager format

0.0.65 J.B. Metz June 2011 Updated Logical File Evidence (LVF) format flag information

with thanks to B. Baron.

0.0.66 J.B. Metz September 2011 Updated Logical File Evidence (LVF) format flag information