EVF2 Evidence-File Segment Extraction Utility
This is a proof-of-concept EnScript designed to extract data from one or more EVF2 evidence-file segments in the event of a hardware or software failure.
Each segment will have a header (which will contain an EVF2 file-signature) plus a number of link-records that are read from the end of the file towards the beginning (each link-record points to the next link-record in the chain). Each link-record will have an ADLER-32 validation checksum.
A properly terminated evidence-file segment will have a 'next-record' or 'done' link-record at the end.
The 'sector-table' link-record should have an associated sector-table array containing an entry for each block spanned by the segment. The sector-table will have its own ADLER-32 validation checksum as will each compressed or uncompressed block (sparse [empty] blocks are not stored physically).
The examiner should choose the segments to be analyzed after which the script will perform the following validation checks on each one:
- Segment's header (inc. file-signature and EVF2 version) should be valid
- Segment should not be encrypted (encrypted segments aren't supported)
- Segment should be terminated by a 'next-record' or 'done' link-record
- Segment's link-record collection should be parsable and valid
- Segment should contain case-data, device-info and sector-table link-records
Subject to the following restriction, the script can be instructed to extract one or more valid segments for a single device.
The segments to be extracted must have sequential segment-numbers and be selected as such in the script's analysis-results dialog. To facilitate this, the segments will be sorted automatically after analysis, first by GUID, then by segment-number.
The script will create IMG files that are sequentially numbered. These can be added to EnCase using the Add Evidence > Add Raw Image option. When using this option, multiple segments should be selected in reverse order.
Feedback will be provided via the console and progress-bar. The latter may not perform linearly due to the presence of sparse regions, which are faster to extract than other data - segments spanning a large number of such regions will typically be extracted faster even if they have a larger decompressed size.
Any non-sparse block that fails the ADLER-32 validation check will generate an error and cause the script to terminate.
Having been written as an EnScript proof of concept rather than a standalone program, this script will take some time to run, particularly on a large number of segments.
In one particular test, the script took 4.3 hours to extract 41GB of data from a 15.9GB evidence-file spanning two-segments.
This script is provided as-is: no warranty is given or implied.
The examiner is encouraged to test the script using structurally intact evidence-files first. EnCase can be used to compare the hashes of files produced by the script to the hashes of the corresponding sector-ranges in the source evidence-file.
For additional information, please see the following Twitter post:
This script was developed for use in EnCase training. For more details, please click the following link:
Download Now