File: header2.txt

package info (click to toggle)
libewf 20140804-1
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 19,284 kB
  • sloc: ansic: 313,293; sh: 6,855; cpp: 3,819; makefile: 1,926; yacc: 1,094; python: 467; lex: 391; sed: 16
file content (90 lines) | stat: -rw-r--r-- 7,969 bytes parent folder | download | duplicates (8)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
The header2 section

The header2 section consists of a UTF16 string as long as necessary.
The character data is compressed by zlib.
( spaces added for readability )


Header2 found in EnCase4

1                                                                                                                                               \n
main                                                                                                                                            \n
a                     c           \t n               \t e             \t t     \t av      \t ov       \t m             \t u           \t p      \n
unique description \t case number \t evidence number \t examiner name \t notes \t version \t platform \t acquired date \t system date \t pwhash \n
                                                                                                                                                \n

unique description, case number, evidence number, examiner name, and notes are free form strings (except for \t and \n)

acquired date, and system date are in the form unix time stamp "1142163845", which is March 12 2006, 11:44:05

version is the EnCase version used to acquire the image

platform is the operating system used to acquire the image

pwhash the password hash should be empty for no password



Header2 found in EnCase5

3                                                                                                                                                     \n
main                                                                                                                                                  \n
a                  \t c           \t n               \t e             \t t     \t av      \t ov       \t m             \t u           \t p      \t dc \n
unique description \t case number \t evidence number \t examiner name \t notes \t version \t platform \t acquired date \t system date \t pwhash \t ?  \n
                                                                                                                                                      \n
srce                                                                                                                                                  \n
0       1                                                                                                                                             \n
p       n       id      ev      tb      lo      po      ah      gu      aq                                                                            \n
0       0                                                                                                                                             \n
                                        -1      -1                                                                                                    \n
                                                                                                                                                      \n
sub                                                                                                                                                   \n
0       1                                                                                                                                             \n
p       n       id      nu      co      gu                                                                                                            \n
0       0                                                                                                                                             \n
                                1                                                                                                                     \n
                                                                                                                                                      \n
unique description, case number, evidence number, examiner name, and notes are free form strings (except for \t and \n)

acquired date, and system date are in the form unix time stamp "1142163845", which is March 12 2006, 11:44:05

version is the EnCase version used to acquire the image

platform is the operating system used to acquire the image

pwhash the password hash should be empty for no password

TODO the remaining values are currently unknown


Header2 found in EnCase6

3                                                                                                                                                                               \n
main                                                                                                                                                                            \n
a                  \t c           \t n               \t e             \t t     \t md    \t sn            \t av      \t ov       \t m             \t u           \t p      \t dc \n
unique description \t case number \t evidence number \t examiner name \t notes \t model \t serial number \t version \t platform \t acquired date \t system date \t pwhash \t ?  \n
                                                                                                                                                                                \n
srce                                                                                                                                                                            \n
0       1                                                                                                                                                                       \n
p       n       id      ev      tb      lo      po      ah      gu      aq                                                                                                      \n
0       0                                                                                                                                                                       \n
                                        -1      -1                                                                                                                              \n
                                                                                                                                                                                \n
sub                                                                                                                                                                             \n
0       1                                                                                                                                                                       \n
p       n       id      nu      co      gu                                                                                                                                      \n
0       0                                                                                                                                                                       \n
                                1                                                                                                                                               \n
                                                                                                                                                                                \n
unique description, case number, evidence number, examiner name, notes, model, and serial number are free form strings (except for \t and \n)

acquired date, and system date are in the form unix time stamp "1142163845", which is March 12 2006, 11:44:05

version is the EnCase version used to acquire the image

platform is the operating system used to acquire the image

pwhash the password hash should be empty for no password

TODO the remaining values are currently unknown