Logical Evidence Files

The structure of logical evidence file, L01, is important for understanding how many interesting and useful features of EnCase tool actually works. Since it is a proprietary format not all vendors support it and it is not so well documented and known in forensic community.

To get  look into it you have to get into EnCase EnSscript help to see related class structures and methods. Logical evidence file is key container for results of the analysts and extraction from evidence files. It is an data safe for data extracted from devices and original evidence, for storing in minimal and forensically sound way. Still it internal structure has some compromises or its look that. In the logical evidence file you can store all data EnCase recognize as logical entities, files, records, results of operations . During working with evidence logical evidence files should be used as cache and container for data organisation. Most of the enscripts for v6 and v7 which does tasks automatically results or part of results stores in L01 files. 

With today disks sized  in terabytes it is not wise to handle all that data in one case,  especially when we are interested only in handful emails or files from that vast disks. Simple and efficient way of preserving resource and performance is to store relevant data into logical evidence file and work with this files in further steps.

Sometimes using logical evidence format has curious repercussions like in data collection in sweep enterprise tool. It is logical to store collected data separately for each end node, but since it is stored in L01 file accessing  that collected data is not very intuitive until you  take into account purpose and structure of L01 file.

Since in L01 file more than type of data can be stored (look in description of (LogicalEvidenceFileClass in Enscript help) it is important to understand how this data can be accessed and presented in EnCase graphical user interface. This feature of datatype separation cause all trouble in viewing collection data in EnCase directly. 

Other key feature of L01 file is that it can be extended with additional data till file is deliberately locked for further extending. This is extremely useful feature since it allows user to logically organize data as  data is discovered and keep it in forensically sound container. All this good features should be defined in SOPs and legally presented and cleared for benefit of all involved.

There are some issues which are often asked about logical evidence format and data in ordinary evidence file. One of the most often asked if L01 keeps only logical data, on the file system level that means files and metadata in the filesystem, what about unalocated space, internal files, slack etc ?  Answer is easy, since EnCase all this entities in the evidence presents as virtual files. For example "Unallocated Clusters" on volume are accessible as "Unallocated Clusters" vitual file and trough that it is also possible to put it into L01 file. It is same for the volume slack, lost files, unused disk area and internal file system objects and files.