Proprietary format with embedded metadata

EnCase is a widely used proprietary forensics tool. It is especially popular among examiners that focus on Windows systems. The EnCase file format consists of a header, the raw sectors with checksums every 32 kilobytes (64 standard sectors), and a footer. The header contains metadata such as the examiner, acquisition date, etc. and ends with a checksum. The footer has an MD5 checksum for the media image.

The EnCase file format supports compression. Compression is done at the block level which makes searching a little faster than it would be otherwise. The reason for this is that most searches are performed for certain types of files and file headers at the beginning of blocks (sectors) are used to determine file type.