Computer Forensics: A Legal Primer

Here is a link to an excellent post by a law professor and a follow up post from a Ex Forensis: Forensic File Formats – A Primer for Attorneys">computer forensic expert that contains a primer of all the terms that are important when dealing with computers as evidence on a case. The article discusses as background the case of State v. Dingman, 149 Wash.App. 648, 202 P.3d 388 (Washington Court of Appeals 2009), in which one of the defendant's claims was that neither he nor the expert hired by the defense had access to the Encase program in order to conduct forensic analysis. The Washington Court of Appeals held that the trial court “erred by requiring that the State provide only an EnCase mirror image of Dingman’s hard drives to the defense. The Court vacated the conviction and remanded for a new trial.

Here is an excerpt from the Primer, written by Larry Daniel, a computer forensic expert available for hire as a defense expert:

Here are the different kinds of formats you can expect to see in cases and how to deal with them.

1. Encase format or as it is also known, Expert Witness format or E01 format. Encase by Guidance Software, Inc.
1. This is the “native” format for creating copies of digital evidence when the copies are made using Encase Forensic software. The file extension for these files begin with .e01 and are numbered .e02, .e03 and so on.
2. FTK format. FTK, which stands for Forensic Tool Kit, is a forensic software by Access Data Corporation. It is the second most popular forensic software in use by law enforcement in the US.
3. DD aka RAW format. DD format can be created by several different programs and hardware devices used to create forensic copies of hard drives and other digital media. It is an open source format and is commonly created using the Linux dd command.