4 Feb
2019
4 Feb
'19
2:49 p.m.
On Mon, 4 Feb 2019, Chuck Guzis via cctalk wrote:
Based on my conversations with clients, the problem is
not the
equipment, but rather the lack of an open, vetted and documented file
format.
As an example, customers of mine insist on a "forensic" image file of
type E01 (Encase format), which has been endorsed by the Library of
Congress and several law enforcement agencies as a valid "forensic" format.
As insane as it sounds, I've had to provide floppy images as E01 files.
The insanity stems from the loss of information that would enable one to
recreate the original (e.g. sector headers, modulation, data rate, track
spacing, etc.).
But one does what one does to keep customers happy.
Well, conversion between E01 and IMD or teledisk formats looks
straightforward.
http://www.forensicsware.com/blog/e01-file-format.html
Is there a better description handy?
eg: What is the structure of the "Header Case Information" block?
The E01 would be adequate (barely), if accompanied by an additional
"metadata" file that describes the physical format. (In much more detail
than just "IBM PC 360K", etc.) For MOST situations, OS, encoding, bytes
per sector, sectors per track, interleave, side pattern, size of
index and inter-sector gaps, etc. might do. That would still be
far from PERFECT, because it would fail to catch several obvious ways to
hide additional data on a disk; eg. different physical interleaves
that would still read the same on "normal" reading, or RSA encrypted data
with the key stored in intersector gaps. Or, a small amount of data
stored as locations of deliberate disk errors. Think about ProLock.
And, of course, a lossy compression, such as MP4 leaves room for an
enormous amount of steganographic data, with documants and data hidden in
porn. (MANY different MP4 files will still play the same movie)
--
Grumpy Ol' Fred cisin at xenosoft.com