What is Encase LEF File or L01 Logical Evidence File
What is Encase LEF File Format?
Encase L01 or LEF file is a logical evidence file that is created by the most efficient EnCase Forensics software and is commonly known as LEF file. It was initially named as Expert Witness that helps investigators in extracting the digital image respective to the evidence present on the local system of a user. It is the short form of EnCase Logical Evidence File. The main purpose of this LEF file is to keep a record of evidence maintained in the file with extension .lx01. However, while investigating an expert can save the file as an image file.
Moreover, Encase LEF File delivers the replica of evidence without influencing or manipulating the original data file in terms of consistency and integrity to the expert. This article complies to illustrate all a user needs to about what is Encase LEF file format is and how to create an evidence file.
Suggestion: If you want to open and view LEF evidence files in that case, you can take the help of LEF Viewer Freeware.
Specification of Encase LEF File Format
| Developer | Guidance software |
| File Type | Disk Image Files |
| MIME Type | application/octet-stream |
| File Signature | 4C 56 46 09 0D 0A FF 00 |
| Default Location | User defined location |
| Full Form | EnCase Logical Evidence File |
| Supported Extensions | .L01 |
Purpose of EnCase Logical Evidence File (.L01) in Forensics
As everybody knows the digital information is the most important factor in every investigation, which is to be preserved and protected carefully. Therefore, EnCase is one of the outstanding digital forensic applications, which is used by most forensics experts.
- With the help of this tool, all the digital evidence can easily be extracted from, emails, physical devices, or other hard drives.
- To prevent the loss or corruption of crucial digital proofs, investigators avoid the use or copying of files for data preservation. Hence, this EnCase forensic tool itself offers a reliable feature that permits to produce EnCase image file of the extracted data.
- To keep the data without any loss or manipulation in the important information, one can use these encase LEF (.L01) files. It proves to be an efficient solution for preserving the crucial data that can be used in future for court proceedings.
- The Encase LEF L01 files prove to be beneficial in many different ways such as rather than saving the complete disk image, an expert can save only the required files also from all evidence. Moreover, one can carry the original copy of selected evidences along with its associated meta properties such as file size, file name, logical size, physical size, last accessed time etc.
- In order to examine only particular evidence from a large amount of data, one can use EnCase forensic tool. Therefore, extracting the image files in L01 file format helps to save only selected evidences and saving the memory storage also.
Characteristics of EnCase LEF File Extension
Some of the important characteristics offered by Encase Logical Evidence files are mentioned below:
- Depending upon the requirement of user’s, Encase L01 files are created to save image files with respect to selected files or folders.
- It makes sure that consistency of data is maintained in extracted image file i.e. all the extracted information & evidences are stored in an original format.
- The image of selected evidences is complete in all sense and there is no loss of data. It extracts all the data by maintaining the integrity.
- Using Encase LEF file format an investigator can also extract information from other EnCase sources such as Records, Snapshots, etc.
- MD5 rehashing algorithms are used to retain the integrity of data in each extracted evidence item.
What are the Types of Encase LEF Logical Evidence File
There are two different types of evidence file that a user can create and are discussed below:
- EnCase Evidence File
Byte-for-byte representation of a physical device or logical volume is an EnCase evidence files (.E01).With the help of this file format, an expert can save the whole evidence and extracts the crucial information as an image file.
- Encase Logical Evidence File
Logical evidence files (.L01) are generated from previews, existing evidence files, etc. These are typically generated after an analysis locates some files for forensic reasons, and they are stored in a forensic container. These files are the single files that help investigators to save the selected folder instead of saving the entire information.
How to Create Logical Evidence File in EnCase
In order to create a logical evidence file, follow the steps mentioned below:
1. Open the Evidence tab and choose any number of entries in the left pane to create Encase LEF file.
2. Now, right-click and click on Acquire >> Create Logical Evidence File from the drop-down menu
3. In Create Encase Logical Evidence File, open Location tab and fill all the entries
4. If you want to add this file to an existing logical evidence file, then check the Add to existing evidence file option.
5. Now, open Logical tab and fill all entries.
6. After that open the Format tab and enter all required details
7. Now, click on Encryption option and Encryption Details dialog box is opened
8. Select the key icon from the upper pane to open New Encryption Key dialog and click Next to create a new encryption key
9. After that, Password dialog box is opened
10. Mention the encryption key and set the password by entering in Password field
11. Now, re-enter password in Confirm Password field and click on Finish button
12. Save the public key that is created by you by clicking on Save button
13. Now, go back to Encryption Details dialog and click on Update button to see the key that you have just created
14. After that, check the new key checkbox and click on the OK option to create Encase LEF file.
Conclusion
After understanding the importance of Encase LEF file for the users, we have covered all important aspects of LEF files from user’s point of view. The main purpose of this post is to let the users easily understand what is LEF file format, what is EnCase logical evidence file and how can it beneficial for investigators from the digital forensics point of view.