Evidence File Containers

Overview

Evidence file containers are logical images that contain only selected files and preserve these files with practically all their external metadata. They are used either for acquisition as a substitute for a conventional forensically sound image (in cases where only some files are needed and a full sector-wise image would be overkill) or to share selected files with other examiners, investigators, lawyers, prosecutors, the opposing party etc. some time after acquisition. Evidence file containers can be created by X-Ways Forensics and X-Ways Investigator. Comparison with skeleton images and cleansed images.

The information on this page is about the new container format used by v16.3 and later. It is as universal as it gets and can be understood by 3rd party forensic tools with in-depth file system support out of the box or with little additional effort.

Note

Containers are initially raw images with a special file system (XWFS2). They can be converted to .e01 evidence file format. However, that does not change any file system data structures stored in the sectors and make the file system in the image somehow "more compatible", as some users seem to expect. Please understand that the file format of the outer image is separate from the format of the data in the inner sectors (the file system).

Containers are designed to preserve as much metadata of the included files as possible, see below. Evidence file containers can even transport only the external metadata of files, without the file contents, if that is desired by the creator of the container, and if so such files will be marked as "metadata only" and still show the original file size (which is also external metadata) while file contents are not available from the container. This concept is not known from ordinary file systems, and some recipients of containers, who are not familiar with X-Ways Forensics, apparently find it disturbing, reporting back to us that when they copy a file with a size of > 0 off the container they get a copy of the file with a size of 0 bytes = no data, as if that was an error, although the program told them beforehand that only metadata is available.

Evidence file containers can even transported only a selected range of data within a file (from offset x to offset y), in which case the file in the container will be marked as an excerpt. And the creator can choose whether or not include the original path of a file in the container, completely or partially, and then the parent directories can either keep their own file system data or not (e.g. INDX buffers in NTFS) if desired (e.g. not desirable if the creator does not wish to reveal external metadata from other files that in the original evidence object reside in the same directory to the recipient of the container).

In short: As always, users of X-Ways Forensics have the maximum amount of control over what data they analyze and share, and the recipient of an evidence file container should absolutely realize that the whole point of such a container is to encapsulate a selected subset of the original data.

Basic Metadata

List:

filename
path
logical file size
valid data length
ordinary Windows world attributes
existing or deleted
creation date
modification date
last access date
last record update date
hard link count
examiner classifications (report table associations)
examiner comments

Basic metadata and file contents in evidence file containers are understood by:

EnCase 5 and later
MountImage Pro 4 and later (first add image, then mount file system)
Belkasoft Evidence Center 6.3 and later
WinHex 12.5 and later, with a specialist license or higher
WinHex 18.6 and later with any kind of license or without (without license containers with no more than 1000 objects)
WinHex 19.8 and later with any kind of license can also mount containers as a drive letter (install Dokan first)
X-Ways Forensics 12.5 and later
X-Ways Investigator all versions
?

Advanced Metadata

List:

detailed deletion status (existing, previously existing, moved/renamed, partially overwritten, original contents assured despite deletion)
original file system file ID
original file system data structure offset
deletion date, internal creation date
UNIX/Linux permissions/file modes
compression/encryption status
classification as NTFS alternate data stream
classification as HFS[+] resource fork
classification as reparse point
classification as found in volume shadow copy
classification as file slack
classification as file excerpt
classification as video still
classification as manually attached
classification as virtual object
classification as e-mail message
classification as e-mail attachment
classification as misc. Outlook data
advanced attributes such as "has attachment", "unread e-mail", "has object ID“
sender and recipients for extracted or processed e-mail
skin color percentage and number of pixels (for pictures)
true file type
file name/file type mismatch status
owner ID
hash value
hash category
PhotoDNA category number
case ID
evidence object ID
volume snapshot ID

Advanced metadata are generally understood by

WinHex 16.3 and later, with a specialist license or higher
X-Ways Forensics 16.3 and later
X-Ways Investigator 16.3 and later
X-Ways Investigator CTR 16.3 and later

(All advanced metadata only by the latest version.)


See prices, retrieve quotes, order new licenses
Upgrades / renewals
Products
	X-Ways Forensics
	Integrated computer forensics software
	X-Ways Investigator
	Investigator version of X-Ways Forensics
	X-Tensions
	3rd party add-ons
	Excire Forensics
	Photo analysis with AI
	WinHex
	Hex editor, disk editor, RAM editor
	X-Ways Imager
	Disk imaging and more
Services
	Training
	Certification
	User forum

	Contact X-Ways
	Corporate info
	Privacy statement
	Jobs