GSI近日在一篇KB中对于新的EX01证据文件结构进行了解释:
What New Features are Offered by the EX01 Evidence File Format?
Affected Products:
EnCase Forensic 7.x
Summary:
EnCase V7 allows for the creation of EX01 files. This evidence file format retains many of the features of E01 files and adds several new features.
Explanation/Resolution:
When acquiring a device in EnCase V7, the user has the ability to acquire to an E01 file as well as to an enhanced version of this file – EX01. This new format has all of the advantages of a standard E01 file with several new features. Additionally, several acquisition options have been simplified. The major changes are detailed below.
-
Encryption – The new evidence file format allows for the encryption of acquired data. A user supplied key is used to encrypt the contents of the evidence file using the AES-128 block cipher. Please be aware that there is no “backdoor” built into the encryption scheme. If the encryption key is lost, so too is the content of the evidence file
加密:新的证据文件格式允许对获取到的数据进行加密,用户可以使用自己的密码采用AES-128进行加密,如遗失密码,证据文件同时失效。
-
Compression – It is no longer necessary to specify the level of compression to be used. Compression is either enabled or disabled.
压缩:不再需要具体指定某一种压缩方式,压缩选项仅提供“启用”和“禁用”
-
Error Granularity – The error granularity setting has been simplified. Setting it to “Standard” will cause the granularity to be matched to the block size. If the block size is set to 64 sectors, then a read error in one sector will result in 64 sectors of data being zeroed out in the evidence file. If set to “Exhaustive,” a read error in one sector will result in only that sector being zeroed out.
错误粒度:错误粒度设置更为简单,选择“标准”即设置粒度与文件块大小相等,如文件块大小设置为64扇区,那么当一个扇区出现读取错误时,证据文件中64扇区的数据 将被写0;如果错误粒度设置为“全面”,那么当出现一个扇区的读取错误时,证据文件中只有该扇区的数据被写0.
Resources/Related Articles:
None