Preliminary audit torrents info

there are 2 torrents

1st torrent magnet:magnet:?xt=urn:btih:dc654b50ec08a8ad5d8f6275f9cd4fcae29686c1&dn=CnuDA4EHJS0glXNC.zip&tr=udp%3a%2f%2ftracker.openbittorrent.com%3a80%2fannounce&tr=udp%3a%2f%2ftracker.opentrackr.org%3a1337%2fannouncetorrent contains 1 file:ic9WLQaUKTRWV2Sv.zipfile size:18500880652 (about 18.5 GB)sha256 checksum:>sha256sum ic9WLQaUKTRWV2Sv.zipfa2875888b3d80dae9d8b8d19225602a1d7557bfe212bb26fdaa27eba26f5239 ic9WLQaUKTRWV2Sv.zip

ic9WLQaUKTRWV2Sv.zip contains:EMSSERVER.E01file size:20360943414 (about 20.4 GB)sha256 checksum:>sha256sum EMSSERVER.E01758cba7e566d9140882c33300ed79e578a272b74d0e7db148fea259d6ac42453 EMSSERVER.E01filetype of EMSSERVER.E01:>file EMSSERVER.E01EMSSERVER.E01: EWF/Expert Witness/EnCase image file format

2nd torrent magnet:magnet:?xt=urn:btih:dc654b50ec08a8ad5d8f6275f9cd4fcae29686c1&dn=CnuDA4EHJS0glXNC.zip&tr=udp%3a%2f%2ftracker.openbittorrent.com%3a80%2fannounce&tr=udp%3a%2f%2ftracker.opentrackr.org%3a1337%2fannouncetorrent contains 1 file:CnuDA4EHJS0glXNC.zipfile size:18737362756 (about 18.7 GB)sha256 checksum:>sha256sum CnuDA4EHJS0glXNC.zipfcffcd8b6071cd90f3315f02dbf4521b2f6e9657684aedfd848e229a7c38fe58 CnuDA4EHJS0glXNC.zip

CnuDA4EHJS0glXNC.zip contains:EMSSERVER_v2.E01file size:20591064705 (about 20.6 GB)sha256 checksum:>sha256sum EMSSERVER_v2.E011f5a657a7943285c7728e73625e429ead87c19243bdc84b53a047d4282cfaf8b EMSSERVER_v2.E01filetype of EMSSERVER.E01:>file EMSSERVER_v2.E01EMSSERVER_v2.E01: EWF/Expert Witness/EnCase image file format

>>14338580

EWF/Expert Witness/EnCase image file format

some info on this file format

https://www.andreafortuna.org/2018/04/11/how-to-mount-an-ewf-image-file-e01-on-linux/

Often, during a forensic analysis, you may need to explore an EWF image (usually a file with .E0X extension) in order to extract some artifacts.

EWF files (Expert Witness Format) are a type of disk image, that contain the contents and structure of an entire data storage device, a disk volume, or (in some cases) a computer’s physical memory (RAM).

EWF files consist of one or more sections, each with its own header and section-level fixity data, usually in the form of an Adler-32 checksum, compressed into 32 kb chunks which are stored back to back in groupings inside the file to improve random access efficiency.

EWF files may take one of two forms

The first is referred to as a “bitstream or forensic image”: a sector-by-sector copy of the source, replicating the structure and contents of the storage device independent of the file system, including inactive data like the files and fragments that reside in unallocated space including deleted files that have not yet been overwritten.

The second form is called “logical evidence file” and it preserves the original files as they existed on the media and also documents this metadata:

assigned file name and extension

datetime created, modified, and last accessed

logical and physical size

MD5 hash value

permissions

starting extention and original path

Logical evidence files are typically created after an analysis locates some files of interest, and for forensic reasons, they are kept in an “evidence grade” container.

References

http://www.forensicswiki.org/wiki/Encase_image_file_format

https://en.wikipedia.org/wiki/Adler-32

http://www.forensicswiki.org/wiki/Libewf

http://www.dfrws.org/sites/default/files/session-files/paper-extending_the_advanced_forensic_format_to_accommodate_multiple_data_sources_logical_evidence_arbitrary_information_and_forensic_workflow.pdf

>>14338580

>>14338589

Encase image file format

https://web.archive.org/web/20190915171358/http://www.forensicswiki.org/wiki/Encase_image_file_format

The Encase image file format is used by EnCase used to store various types of digital evidence e.g.

disk image (physical bitstream of an acquired disk)

volume image

memory

logical files

>>14338600

>>14338580

>>14338589

libewf

libewf is a library to access the Expert Witness Compression Format (EWF).

https://github.com/libyal/libewf/

Project information:

• Status: experimental

• Licence: LGPLv3+

Read or write supported EWF formats:

• SMART .s01 (EWF-S01)

* EnCase

* .E01 (EWF-E01)

• .Ex01 (EWF2-Ex01)

Not supported:

• .Ex01 (EWF2-Ex01) bzip2 compression (work in progress)

• .Ex01 (EWF2-Ex01) encryption

Read-only supported EWF formats:

• Logical Evidence File (LEF)

• .L01 (EWF-L01)

• .Lx01 (EWF2-Lx01)

Other features:

• empty-block compression

• read/write access using delta (or shadow) files

• write resume

Work in progress:

• Dokan library support (experimental)

• Python bindings (including Python 3 support)

• write EWF2-Ex01 support

• Multi-threading support

Planned:

• write EWF-L01 and EWF2-Lx01 (long-term)

The libewf package contains the following tools:

• ewfacquire; which writes storage media data from devices and files to EWF files.

• ewfacquirestream; which writes data from stdin to EWF files.

• ewfdebug; experimental tool does nothing at the moment.

• ewfexport; which exports storage media data in EWF files to (split) RAW format or a specific version of EWF files.

• ewfinfo; which shows the metadata in EWF files.

• ewfmount; which FUSE mounts EWF files.

• ewfrecover; special variant of ewfexport to create a new set of EWF files from a corrupt set.

• ewfverify; which verifies the storage media data in EWF files.

For previous project contributions see:

• libewf on SourceForge: https://sourceforge.net/projects/libewf

For previous stable releases see:

• Downloads: https://github.com/libyal/legacy/tree/master/libewf

For more information see:

• Project documentation: https://github.com/libyal/libewf/wiki/Home

• How to build from source: https://github.com/libyal/libewf/wiki/Building