This is a proof-of-concept EnScript designed to extract data from one or more EVF2 evidence-file segments in the event of a hardware or software failure.

Each segment will have a header (which will contain an EVF2 file-signature) plus a number of link-records that are read from the end of the file towards the beginning (each link-record points to the next link-record in the chain). Each link-record will have an ADLER-32 validation checksum.

A properly terminated evidence-file segment will have a 'next-record' or 'done' link-record at the end.

The 'sector-table' link-record should have an associated sector-table array containing an entry for each block spanned by the segment. The sector-table will have its own ADLER-32 validation checksum as will each compressed or uncompressed block (sparse [empty] blocks are not stored physically).

The examiner should choose the segments to be analyzed after which the script will perform the following validation checks on each one:

• Segment's header (inc. file-signature and EVF2 version) should be valid
• Segment should not be encrypted (encrypted segments aren't supported)
• Segment should be terminated by a 'next-record' or 'done' link-record
• Segment's link-record collection should be parsable and valid
• Segment should contain case-data, device-info and sector-table link-records

Subject to the following restriction, the script can be instructed to extract one or more valid segments for a single device. 

The segments to be extracted must have sequential segment-numbers and be selected as such in the script's analysis-results dialog. To facilitate this, the segments will be sorted automatically after analysis, first by GUID, then by segment-number.

The script will create IMG files that are sequentially numbered. These can be added to EnCase using the Add Evidence > Add Raw Image option. When using this option, multiple segments should be selected in reverse order.

Feedback will be provided via the console and progress-bar. The latter may not perform linearly due to the presence of sparse regions, which are faster to extract than other data - segments spanning a large number of such regions will typically be extracted faster even if they have a larger decompressed size.

Any non-sparse block that fails the ADLER-32 validation check will generate an error and cause the script to terminate.

Having been written as an EnScript proof of concept rather than a standalone program, this script will take some time to run, particularly on a large number of segments.

In one particular test, the script took 4.3 hours to extract 41GB of data from a 15.9GB evidence-file spanning two-segments.

This script is provided as-is: no warranty is given or implied.

The examiner is encouraged to test the script using structurally intact evidence-files first. EnCase can be used to compare the hashes of files produced by the script to the hashes of the corresponding sector-ranges in the source evidence-file.

For additional information, please see the following Twitter post:

• https://twitter.com/SimonDCKey/status/1337339665691668480

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training