Bestellung, Preise:
  per Kreditkarte
 
  bei Vorkasse/ auf Rechnung
 
Produkte
 
X-Ways Forensics X-Ways Forensics
Integrierte Forensik-Software
 
X-Ways Investigator X-Ways Investigator
Ermittler-Version v. X-Ways Forensics
 
Näheres zu WinHex WinHex
Hex-, Disk- und RAM-Editor
 
Näheres zu X-Ways Imager X-Ways Imager
Disk-Imaging
 
Näheres zu X-Ways Capture X-Ways Capture
EDV-Beweissicherung
 
Näheres zu X-Ways Trace X-Ways Trace
Benutzer-Aktivität
 
Näheres zu Davory Davory
Datenrettung
 
Näheres zu X-Ways Security X-Ways Security
Datenlöschung
 
Dienstleistungen
 
Schulungsangebot
 

 
Kontakt zu X-Ways Kontakt
Support-Forum
 
Die X-Ways AG Die X-Ways AG
X-Ways in Facebook X-Ways in Facebook
  X-Ways Software Technology AG
Deutsch
 
 

Datei-Container

Überblick

Datei-Container sind logische Images, die nur ausgewählte Dateien enthalten. They are used either for acquisition as a substitute for a conventional forensically sound image (in cases where only some files are needed and a full sector-wise image would be overkill) or to share selected files with other examiners, investigators, lawyers, prosecutors, the opposing party etc. etc. Evidence file containers can be created by X-Ways Forensics and X-Ways Investigator. They are designed to preserve as much metadata as possible, see below.

Containers are initially raw images with a special file system (XWFS2), and they can be converted to .e01 evidence file format. The information on this page is about the new container format used by v16.3 and later. It is as universal as it gets and can be understood by 3rd party forensic tools with in depth file system support out of the box or with little additional effort.

Basis-Metadaten

 Liste:
  • filename
  • path
  • logical file size
  • valid data length
  • ordinary Windows world attributes
  • existing or deleted
  • creation date
  • modification date
  • last access date
  • last record update date
  • hard link count
  • examiner classifications (report table associations)
  • examiner comments

Basis-Metadaten und Datei-Inhalte in Datei-Containern werden verstanden von:

  • EnCase 5
  • EnCase 6
  • EnCase 7
  • MountImage Pro 4 (Image erst hinzufügen, dann Dateisystem mounten)
  • WinHex 12.5 und neuer, mit Specialist-Lizenz oder höher
  • X-Ways Forensics 12.5 und neuer
  • X-Ways Investigator, alle Versionen

Erweiterte Metadaten

 Liste:
  • advanced deletion status (existing, previously existing, moved/renamed, partially overwritten)
  • original file system file ID
  • original file system data structure offset
  • deletion date, internal creation date
  • UNIX/Linux permissions/file modes
  • compression/encryption status
  • classification as NTFS alternate data stream
  • classification as HFS[+] resource fork
  • classification as reparse point
  • classification as found in volume shadow copy
  • classification as file slack
  • classification as file excerpt
  • classification as video still
  • classification as manually attached
  • classification as virtual object
  • classification as e-mail message
  • classification as e-mail attachment
  • classification as misc. Outlook data
  • advanced attributes such as "has attachment", "unread e-mail", "has object ID“
  • sender and recipient for extracted or processed e-mail
  • skin color percentage and number of pixels (for pictures)
  • true file type
  • file name/file type mismatch status
  • owner ID
  • hash
  • case ID
  • evidence object ID
  • volume snapshot ID
Erweiterte Metadaten werden verstanden von
  • WinHex 16.3 und neuer, mit Specialist-Lizenz oder höher
  • X-Ways Forensics 16.3 und neuer
  • X-Ways Investigator 16.3 und neuer
  • X-Ways Investigator CTR 16.3 und neuer