E01 (Was: Raspberry Pi floppy interface.
Fred Cisin
cisin at xenosoft.com
Mon Feb 4 16:49:47 CST 2019
On Mon, 4 Feb 2019, Chuck Guzis via cctalk wrote:
> Based on my conversations with clients, the problem is not the
> equipment, but rather the lack of an open, vetted and documented file
> format.
>
> As an example, customers of mine insist on a "forensic" image file of
> type E01 (Encase format), which has been endorsed by the Library of
> Congress and several law enforcement agencies as a valid "forensic" format.
>
> As insane as it sounds, I've had to provide floppy images as E01 files.
> The insanity stems from the loss of information that would enable one to
> recreate the original (e.g. sector headers, modulation, data rate, track
> spacing, etc.).
>
> But one does what one does to keep customers happy.
Well, conversion between E01 and IMD or teledisk formats looks
straightforward.
http://www.forensicsware.com/blog/e01-file-format.html
Is there a better description handy?
eg: What is the structure of the "Header Case Information" block?
The E01 would be adequate (barely), if accompanied by an additional
"metadata" file that describes the physical format. (In much more detail
than just "IBM PC 360K", etc.) For MOST situations, OS, encoding, bytes
per sector, sectors per track, interleave, side pattern, size of
index and inter-sector gaps, etc. might do. That would still be
far from PERFECT, because it would fail to catch several obvious ways to
hide additional data on a disk; eg. different physical interleaves
that would still read the same on "normal" reading, or RSA encrypted data
with the key stored in intersector gaps. Or, a small amount of data
stored as locations of deliberate disk errors. Think about ProLock.
And, of course, a lossy compression, such as MP4 leaves room for an
enormous amount of steganographic data, with documants and data hidden in
porn. (MANY different MP4 files will still play the same movie)
--
Grumpy Ol' Fred cisin at xenosoft.com
More information about the cctech
mailing list