EVF2 Evidence-File Segment Extraction Utility

363968

OpenText OpenText Community

App Support Tiers

OpenText SUPPORTED

Support via OpenText Software Support, with a ticket filed against the associated product.

PARTNER

OpenText offers a content partnership program for select partners. Support for Partner Content offerings is provided by the partner and not by OpenText of the OpenText community.

OpenText COMMUNITY

OpenText Community Content is provided by OpenText for the benefit of customers, support for it is not available via OpenText Software Support but through specific community content forums.

COMMUNITY

Community Contributed Content is provided by OpenText customers and supported by them.

EARLY ACCESS

Show less ...Show more

The downloads referenced under the "Cybersecurity Early Access" category are made available to subscribers to mitigate time-critical issues but have not undergone formal quality and performance testing associated with official OpenText/Cybersecurity product releases. OpenText has a multi-stage Quality Assurance process. During Stage 1 we conduct a resource analysis, field mapping, ensure content level 1 functionality and analysis in our sandbox environment. Stage 2 is a complete validation including production validation. This package has cleared Stage 1 validation and therefore should be deployed with the appropriate pre-production validation. OpenText strongly recommends that any downloaded content is first checked and tested thoroughly in a non-production environment before committing to production. We welcome feedback and, should any content be shown to be faulty, detrimental or carry an incorrect claim of authorship, we shall endeavor to remove or correct such content as promptly as reasonably possible once notified and validated.

OpenText | OpenText Community

This is a proof-of-concept EnScript designed to extract data from one or more EVF2 evidence-file segments in the event of a hardware or software failure.

901 downloads

Product compatibility

EnCase App Central

Description

This is a proof-of-concept EnScript designed to extract data from one or more EVF2 evidence-file segments in the event of a hardware or software failure.

Each segment will have a header (which will contain an EVF2 file-signature) plus a number of link-records that are read from the end of the file towards the beginning (each link-record points to the next link-record in the chain). Each link-record will have an ADLER-32 validation checksum.

A properly terminated evidence-file segment will have a 'next-record' or 'done' link-record at the end.

The 'sector-table' link-record should have an associated sector-table array containing an entry for each block spanned by the segment. The sector-table will have its own ADLER-32 validation checksum as will each compressed or uncompressed block (sparse [empty] blocks are not stored physically).

The examiner should choose the segments to be analyzed after which the script will perform the following validation checks on each one:

Segment's header (inc. file-signature and EVF2 version) should be valid
Segment should not be encrypted (encrypted segments aren't supported)
Segment should be terminated by a 'next-record' or 'done' link-record
Segment's link-record collection should be parsable and valid
Segment should contain case-data, device-info and sector-table link-records

Subject to the following restriction, the script can be instructed to extract one or more valid segments for a single device.

The segments to be extracted must have sequential segment-numbers and be selected as such in the script's analysis-results dialog. To facilitate this, the segments will be sorted automatically after analysis, first by GUID, then by segment-number.

The script will create IMG files that are sequentially numbered. These can be added to EnCase using the Add Evidence > Add Raw Image option. When using this option, multiple segments should be selected in reverse order.

Feedback will be provided via the console and progress-bar. The latter may not perform linearly due to the presence of sparse regions, which are faster to extract than other data - segments spanning a large number of such regions will typically be extracted faster even if they have a larger decompressed size.

Any non-sparse block that fails the ADLER-32 validation check will generate an error and cause the script to terminate.

Having been written as an EnScript proof of concept rather than a standalone program, this script will take some time to run, particularly on a large number of segments.

In one particular test, the script took 4.3 hours to extract 41GB of data from a 15.9GB evidence-file spanning two-segments.

This script is provided as-is: no warranty is given or implied.

The examiner is encouraged to test the script using structurally intact evidence-files first. EnCase can be used to compare the hashes of files produced by the script to the hashes of the corresponding sector-ranges in the source evidence-file.

For additional information, please see the following Twitter post: