X-Ways
·.·. Computer forensics software made in Germany .·.·
   
 

Evidence File Containers,
Physical Skeleton Images,
Cleansed Images

Both evidence file containers and skeleton images are special kinds of images that contain only selected files and/or disk areas. They are used for acquisition as a substitute for a conventional complete forensically sound image (in cases where only some files are needed and a full sector-wise image would be overkill). 

Cleansed images work the other way around, they are complete forensic images with the exception of files that were specifically hidden, whose clusters are zeroed out in the image or overwritten with a certain pattern. All other data is copied to the image normally. Ideal in countries whose legislation specially protects the most private personal data of individuals and certain data acquired from custodians of professional secrets (e.g. lawyers and physicians, whose profession swears them to secrecy/confidentiality).

Note that you can also retroactively cleanse (redact) already created conventional raw images, in WinHex, by securely wiping files selected files via the directory browser context menu. The granularity of this operation is not limited to units of clusters. For example, that means it can also wipe files in NTFS file systems with so-called resident/inline storage and preserves file slack.

Type of image: Evidence File Container Skeleton Image Cleansed Image
Can be created with X-Ways Investigator,
X-Ways Forensics
X-Ways Forensics
from v17.1
X-Ways Forensics
from v17.2
Space for excluded data allocated? no no yes
Excluded data referenced in the image? no as NTFS sparse areas zeroed out or filled with a pattern
Treatment of excluded allocated data when container/image is copied n/a has to be copied, highly compressible has to be copied, highly compressible
Compatibility with other tools ** *
Suitable for partial forensic acquisition
Suitable for exchange of selected files with other examiners after acquisition    
Can contain data of selected files and directories and omit others  
Can omit data of selected files and contain all others    
Can transport files that are not stored at the file system level (e.g. extracted e-mail, e-mail attachments, video stills, pictures embedded in Excel spreadsheets, excerpts of files, files in zip archives, ...)    
Ability to preserve all file system metadata about files
Can contain MBRs, partition tables, boot sectors, special file system areas
MBRs, partition tables, boot sector, file system data structures remain parsable, locatable and functional, at least in forensic tools*  
Preserves original offsets and original distances between various data and metadata  
Non-proprietary format/layout  
Easy to compare with the original disk  
Accomodate data from different physical media in a single image    
Supports Windows dynamic disks and Linux LVM2 as source disks  
Hashes of individual files    
Hashes of copied sector ranges    
Can be hashed, compressed, encrypted, split, converted from raw format to an .e01 evidence file as a whole after creation
Can be hashed, compressed, encrypted, split, and stored in .e01 format as a whole immediately    

* all tools that understand raw images, unless they depend on file system data structures that are not included or just don't understand the original partitioning method or file system in general

** certain tools (details)

Simplified graphical comparison