E01 (Was: Raspberry Pi floppy interface.

[Fred Cisin]

On Mon, 4 Feb 2019, Chuck Guzis via cctalk wrote:
> Based on my conversations with clients, the problem is not the
> equipment, but rather the lack of an open, vetted and documented file
> format.
>
> As an example, customers of mine insist on a "forensic" image file of
> type E01 (Encase format), which has been endorsed by the Library of
> Congress and several law enforcement agencies as a valid "forensic" format.
>
> As insane as it sounds, I've had to provide floppy images as E01 files.
> The insanity stems from the loss of information that would enable one to
> recreate the original (e.g. sector headers, modulation, data rate, track
> spacing, etc.).
>
> But one does what one does to keep customers happy.

Well, conversion between E01 and IMD or teledisk formats looks 
straightforward.

http://www.forensicsware.com/blog/e01-file-format.html
Is there a better description handy?

eg: What is the structure of the "Header Case Information" block?

The E01 would be adequate (barely), if accompanied by an additional 
"metadata" file that describes the physical format.  (In much more detail 
than just "IBM PC 360K", etc.)  For MOST situations, OS, encoding, bytes 
per sector, sectors per track, interleave, side pattern, size of 
index and inter-sector gaps, etc. might do.  That would still be 
far from PERFECT, because it would fail to catch several obvious ways to 
hide additional data on a disk;  eg. different physical interleaves 
that would still read the same on "normal" reading, or RSA encrypted data 
with the key stored in intersector gaps. Or, a small amount of data 
stored as locations of deliberate disk errors.  Think about ProLock.

And, of course, a lossy compression, such as MP4 leaves room for an 
enormous amount of steganographic data, with documants and data hidden in 
porn.  (MANY different MP4 files will still play the same movie)

--
Grumpy Ol' Fred     		cisin at xenosoft.com