EnCase case file (.cas)

.cas file signature | application/octet-stream

EnCase case file is a forensic evidence container format created by Guidance Software and maintained through the EnCase digital investigation platform. It is used to store disk images, collected artifacts, and investigation data for computer forensics, incident response, and legal discovery. Because it preserves acquired evidence, the format is typically handled in trusted forensic tools; case files may contain sensitive data, and older EnCase versions are associated with legacy investigative workflows.

Safe

Magic Bytes

Offset 0


              5F 43 41 53 45 5F

Sources: Gary Kessler

Extension

.cas

MIME Type

application/octet-stream

Byte Offset

Risk Level

Safe

Validation Code

How to validate .cas files in Python

Python

def is_cas(file_path: str) -> bool:
    """Check if file is a valid CAS by magic bytes."""
    signature = bytes([0x5F, 0x43, 0x41, 0x53, 0x45, 0x5F])
    with open(file_path, "rb") as f:
        return f.read(6) == signature

How to validate .cas files in Node.js

Node.js

function isCAS(buffer: Buffer): boolean {
  const signature = Buffer.from([0x5F, 0x43, 0x41, 0x53, 0x45, 0x5F]);
  return buffer.subarray(0, 6).equals(signature);
}

How to validate .cas files in Go

func IsCAS(data []byte) bool {
    signature := []byte{0x5F, 0x43, 0x41, 0x53, 0x45, 0x5F}
    if len(data) < 6 {
        return false
    }
    return bytes.Equal(data[:6], signature)
}

API Endpoint

GET /api/v1/cas


              curl https://filesignature.org/api/v1/cas

See the full API documentation for all endpoints and parameters.

Related Formats

.cbk

Frequently Asked Questions

What is a .cas file?

A .cas file is a EnCase case file file. EnCase case file is a forensic evidence container format created by Guidance Software and maintained through the EnCase digital investigation platform. It is used to store disk images, collected artifacts, and investigation data for computer forensics, incident response, and legal discovery. Because it preserves acquired evidence, the format is typically handled in trusted forensic tools; case files may contain sensitive data, and older EnCase versions are associated with legacy investigative workflows.

What are the magic bytes for .cas files?

The magic bytes for EnCase case file files are 5F 43 41 53 45 5F at byte offset 0. These bytes uniquely identify the file format regardless of the file extension.

How do I validate a .cas file?

To validate a .cas file, read the first bytes of the file and compare them against the known magic bytes (5F 43 41 53 45 5F) at offset 0. This is more reliable than checking the file extension alone, as extensions can be renamed.

What is the MIME type for .cas files?

There is no officially registered MIME type for .cas files. Systems typically use application/octet-stream as a generic fallback when handling this format.

Is it safe to open .cas files?

EnCase case file (.cas) files are generally safe to open. They are classified as low risk because they primarily contain data rather than executable code. However, always ensure files come from a trusted source.