Container Files
This topic provides a list of the Container files that the Digital Reef software can identify along with the associated Digital Reef File Types.
You can view the File Types discovered during indexing of a selected Data Set, including the File Types for Container Files. For a Data Set under Imports, go to the Reports tab and
You can view the File Type for a particular document from the Metadata panel of the Document Viewer, in the filetype field.
Container File Categories
The Container files fall into four categories:
- Compressed Types
- File Archive Types
- Email Archive Types
- Disk Image Types
All of the supported Container types are by default expanded to reveal their contents for a full Content Index (with full content and full metadata). For a File Metadata Index, RAR, TAR, and ZIP archive files are by default expanded as well, but only to reveal the file metadata for the archive contents. (Mail Containers are not processed for a File Metadata Index.)
File Metadata mode always supports the identification and import of Forensic Images (for example, EWF Files that collectively form a disk image). (The Data Set option to control the expansion of archives does not apply to the Forensic Images, only to the RAR, TAR, and ZIP archives.) Each EWF file is treated as a Container file with a file type of diskimage/ewf. All EWF files for a given raw image contain the same information in a set of metadata fields (for example,ewfcasenumber, ewfdatacquired, ewfevidencenumber, ewfexaminername, ewfmd5, and ewfmediasize). The diskpartitions and diskpartitionstatus fields are always populated for any partitioned disk type with multiple partitions.
The Digital Reef software can both identify and parse Logical Evidence Files in File Metadata mode (the minimum representation level for this type of file). An LEF file is a type of Disk Image Container File. The LEF file type is associated with a docclass of Disk_Image. Files extracted from an LEF could be other document classes such as an eDoc, Message, or another Container such as a Message_Archive or Archive, and Directories will be included in the Index. In addition to a docclass of Disk_Image and a filetype of diskimage/lef, an LEF file will have information populated in the metadata fields ewfevidencenumber (for example, Evidence-10010-111-A), ewfexaminername, and ewfmediasize. Files extracted from the LEF include metadata such as createdtime, lastmodifiedtime, and lastaccesstime.
Note: In the following table, Containers marked with an asterisk (*) are identified by the software, but not supported for parsing. Such files will generate a parsing status of 00068 FILE_ID_ONLY for Parsing Library V2 and 00021 FILE_NOT_SUPPORTED for legacy Parsing Library V1. AD1 files are an example of files supported for File ID only.
|
Container |
Description |
File Type Information (when Digital Reef does the ID) |
|---|---|---|
| Compressed Types | ||
| ARJ | An ARJ compressed file Identified, but not supported for parsing |
application/arj |
| 7ZIP | A 7ZIP compressed file | application/7zip |
| BZIP2 | A BZIP2 compressed file | application/x-bzip2 (Parsing Library V1, or when DR needs to identify the BZIP2) |
| COMPRESS | A compressed file (Unix Compress or .COM file) | application/x-compress |
| GZIP | A GNU zip file (Unix GZip). For a Bloomberg attachment archive, application/x-gzip supports an auxfiletype of bloomberg-attachment-archive. | application/x-gzip |
| File Archive Types | ||
| CAB | Microsoft Cabinet Archive file | Microsoft Cabinet Archive (Parsing Library V2) |
| LZH | An LZH compressed file, or self-extracting LZH | application/x-lzh-compressed |
| RAR | A RAR compressed file | application/x-rar-compressed |
| TAR | A Unix TAR file (archive file) | application/x-tar |
| ZIP or ZIPX | A ZIP or ZIPX container file (or JAR file). This includes ZIP or ZIPX containers created using the LZMA or PPMd compression formats. | application/zip |
| Email Archive Types | ||
| Bloomberg IB Dump (XML) | Bloomberg IB Compliance Dump Format in XML (Instant Bloomberg) | application/bloomberg-ib-dump |
| Bloomberg Message Dump (XML) | Bloomberg Message Compliance Dump Format in XML | application/bloomberg-message-dump |
| NSF | An IBM Lotus Notes NSF email archive Note: Digital Reef supports Lotus Notes versions up to and including Lotus Notes 9.0.1. |
application/lotusnotes |
| PST (or OST) | A Microsoft Outlook PST (or OST) email archive | application/msoutlook |
| MBOX | A Unix MBOX container file |
mbox(rfc-822 mailbox) |
| Microsoft Outlook for Mac Archive | A Mac OLM archive | application/msoutlook-mac |
| Disk Image Types (including Forensic Images) | ||
| AD1* | AD1 file, Forensic Toolkit (FTK) Imager Logical Image In general, identified by Digital Reef, but not supported for parsing. |
diskimage/ad1 |
| BitLocker | BitLocker-encrypted partition (for example, from an LEF) | diskimage/bitlocker |
| EWF | An Expert Witness Compression Format File (for example, for EnCase, E01) | diskimage/ewf |
| FAT | For MS-DOS and vfat file systems | diskimage/fat |
| GPT | GUID Partition Table (GPT) partitioned disk images | diskimage/gptpartitions |
| HFS+ | HFS+ file system | diskimage/hfsplus |
| ISO | ISO 9660 image files |
diskimage/iso9660 |
| LEF | Logical Evidence Files (for example, L01). Identified as a Disk Image Container file and supported for parsing. |
diskimage/lef |
| Linux | Linux (unpartitioned) images, including ext2, ext3, and ext4 file systems | diskimage/linux |
| MBR | Master Boot Record (MBR) partitioned disk images | diskimage/mbrpartitions |
| NTFS | NTFS file system | diskimage/ntfs |
Note: For searching based on legacy configurations, the DR list of types for the disk image category continues to include application/ewf (legacy ewf files only, as diskimage/ewf is the current type used for EWF files), and, for the email archive category, container(assentor), which is for legacy CA Message Manager only (now obsolete). mbox (rfc-822 mailbox) for Parsing Library V1 and Sendmail MBOX for Parsing Library V2
For more information about the Digital Reef email file types, see Supported Emails.