在前面的文章中我们提到过,EnCase v7由于采用了全新的证据文件格式*.ex01,支持全新的压缩方式,关于此种压缩方式的效率,Guidance官方近日给出了相关KB
An Overview of Compression Levels in EnCase Version 7
Affected Products:
EnCase Version 7
Summary:
This document explains compression concepts and compression results using EnCase Version 7.
Explanation/Resolution:
Compression levels vary depending on the contents of the acquired device. If the device contains a substantial amount of compressed data (.zip, .rar, .mp3, etc.), then compression levels will be minimal. Easily compressed data, such as sparse files, .txt documents, etc. will result in greater compression levels.
压缩程度依获取设备中内容的不同而不同,如果设备中包含了大量的压缩文件(如zip、rar、mp3等),那么压缩程度将不大,容易被压缩的文件,比如稀疏文件、txt文本文档等,将能获得相对较高的压缩率。
For example, a 16Gb flash drive 98% filled with zip files, install files, and other compressed data was acquired using EnCase V7. With compression enabled, EnCase V7 created a 14Gb .EX01 file. A V6 .E01 file was the same size. Without compression, the evidence was 14.4Gb. Typical compression levels will tend to be greater than this sample, as not all devices will contain such a high ratio of compressed data. On the other extreme, the same 16Gb drive compresses down to only 7Mb when wiped.
举例而言,一个16Gb的优盘,98%是zip压缩文件、安装文件以及其他压缩数据,使用EnCase v7进行获取,如开启压缩,EnCase将创建一个14Gb的ex01证据镜像,如使用EnCase v6进行该获取,生成的e01文件也差不多大,如果不选择压缩,生成的证据镜像大小是14.4Gb。……在极端情况下,一个被擦除过的16Gb驱动器最小可以被压缩到7Mb。
Actual compression levels will vary widely depending on the contents of the device. If you are experiencing low compression levels, evaluate the contents of the device for compressed content, as it may not be possible for EnCase to to achieve greater compression.
Additional Information:
See the EnCase Forensic Version 7 User's Guide for additional information on the acquisition process.
Resources/Related Articles:
See the EnCase Forensic Version 7 User's Guide for additional information on the acquisition process.