The header section The header section consists of an ASCII string as long as necessary. The character data is compressed by zlib. ( spaces were added for readability ) Header defitiont found in http://www.arsdata.com/SMART/whitepaper.html 1 \n main \n c \t n \t a \t e \t t \t m \t u \t p \t r \n case number \t evidence number \t unique description \t examiner name \t notes \t acquired date \t system date \t pwhash \t char \n case number, evidence number, unique description, examiner name, and notes are free form strings (except for \t and \n) acquired date, and system date are in the form "2002 3 4 10 19 59", which is March 4, 2002 10:19:59 pwhash the password hash should be the character '0' for no password char contains one of the following letters b => best compression f => fastest compression n => no compression Header definition found in FTK Imager 2.3 A fifth line is present which is empty 1 \n main \n c \t n \t a \t e \t t \t av \t ov \t m \t u \t p \t r \n case number \t evidence number \t unique description \t examiner name \t notes \t version \t platform \t acquired date \t system date \t pwhash \t char \n \n case number, evidence number, unique description, examiner name, and notes are free form strings (except for \t and \n) acquired date, and system date are in the form "2002 3 4 10 19 59", which is March 4, 2002 10:19:59 version is the Encase version used to acquire the image platform is the operating system used to acquire the image pwhash the password hash should be the character '0' for no password char contains one of the following letters b => best compression f => fastest compression n => no compression Header definition found in Encase 1 A fifth line is present which is empty 1 \r\n main \r\n c \t n \t a \t e \t t \t m \t u \t p \t r \r\n case number \t evidence number \t unique description \t examiner name \t notes \t acquired date \t system date \t pwhash \t char \r\n \r\n case number, evidence number, unique description, examiner name, and notes are free form strings (except for \t and \n) acquired date, and system date are in the form "2002 3 4 10 19 59", which is March 4, 2002 10:19:59 pwhash the password hash should be the character '0' for no password char contains one of the following letters b => best compression f => fastest compression n => no compression Header definition found in Encase 2, 3 A fifth line is present which is empty 1 \r\n main \r\n c \t n \t a \t e \t t \t av \t ov \t m \t u \t p \t r \r\n case number \t evidence number \t unique description \t examiner name \t notes \t version \t platform \t acquired date \t system date \t pwhash \t char \r\n \r\n case number, evidence number, unique description, examiner name, and notes are free form strings (except for \t and \n) acquired date, and system date are in the form "2002 3 4 10 19 59", which is March 4, 2002 10:19:59 version is the Encase version used to acquire the image platform is the operating system used to acquire the image pwhash the password hash should be the character '0' for no password char contains one of the following letters b => best compression f => fastest compression n => no compression Header definition found in Encase 4 and 5 A fifth line is present which is empty 1 \r\n main \r\n c \t n \t a \t e \t t \t av \t ov \t m \t u \t p \r\n case number \t evidence number \t unique description \t examiner name \t notes \t version \t platform \t acquired date \t system date \t pwhash \r\n \r\n case number, evidence number, unique description, examiner name, and notes are free form strings (except for \t and \n) acquired date, and system date are in the form "2002 3 4 10 19 59", which is March 4, 2002 10:19:59 version is the Encase version used to acquire the image platform is the operating system used to acquire the image pwhash the password hash should be the character '0' for no password Header found in linen 5 3 \n main \n a \t c \t n \t e \t t \t av \t ov \t m \t u \t p \n unique description \t case number \t evidence number \t examiner name \t notes \t version \t platform \t acquired date \t system date \t pwhash \n \n srce \n 0 1 \n p n id ev tb lo po ah gu aq \n 0 0 \n -1 -1 \n \n sub \n 0 1 \n p n id nu co gu \n 0 0 \n 1 \n \n unique description, case number, evidence number, examiner name, and notes are free form strings (except for \t and \n) acquired date, and system date are in the form unix time stamp "1142163845", which is March 12 2006, 11:44:05 version is the Encase version used to acquire the image platform is the operating system used to acquire the image pwhash the password hash should be empty for no password TODO the remaining values are currently unknown Header found in linen 6 3 \n main \n a \t c \t n \t e \t t \t md \t sn \t av \t ov \t m \t u \t p \t dc \n unique description \t case number \t evidence number \t examiner name \t notes \t model \t serial number \t version \t platform \t acquired date \t system date \t pwhash \t ? \n \n srce \n 0 1 \n p n id ev tb lo po ah gu aq \n 0 0 \n -1 -1 \n \n sub \n 0 1 \n p n id nu co gu \n 0 0 \n 1 \n \n unique description, case number, evidence number, examiner name, notes, model, and serial number are free form strings (except for \t and \n) acquired date, and system date are in the form unix time stamp "1142163845", which is March 12 2006, 11:44:05 version is the EnCase version used to acquire the image platform is the operating system used to acquire the image pwhash the password hash should be empty for no password TODO the remaining values are currently unknown