EnCase® Evidence File Format Version 2 (.exnn)

.exnn file signature | application/octet-stream

EnCase Evidence File Format Version 2 (EXNN) is a forensic evidence container format developed by Guidance Software, now maintained by OpenText. It is used to store disk images and related case data in digital investigations, allowing examiners to preserve and analyze acquired media in EnCase and compatible forensic tools. The format is a legacy variant of the EnCase evidence family; it is generally safe to inspect, but files should be handled as evidentiary material and verified for integrity.

Safe

Magic Bytes

Offset 0


              45 56 46 32 0D 0A 81

Sources: Gary Kessler

Extension

.exnn

MIME Type

application/octet-stream

Byte Offset

Risk Level

Safe

Validation Code

How to validate .exnn files in Python

Python

def is_exnn(file_path: str) -> bool:
    """Check if file is a valid EXNN by magic bytes."""
    signature = bytes([0x45, 0x56, 0x46, 0x32, 0x0D, 0x0A, 0x81])
    with open(file_path, "rb") as f:
        return f.read(7) == signature

How to validate .exnn files in Node.js

Node.js

function isEXNN(buffer: Buffer): boolean {
  const signature = Buffer.from([0x45, 0x56, 0x46, 0x32, 0x0D, 0x0A, 0x81]);
  return buffer.subarray(0, 7).equals(signature);
}

How to validate .exnn files in Go

func IsEXNN(data []byte) bool {
    signature := []byte{0x45, 0x56, 0x46, 0x32, 0x0D, 0x0A, 0x81}
    if len(data) < 7 {
        return false
    }
    return bytes.Equal(data[:7], signature)
}

API Endpoint

GET /api/v1/exnn


              curl https://filesignature.org/api/v1/exnn

See the full API documentation for all endpoints and parameters.

Related Formats

.ex01

Frequently Asked Questions

What is a .exnn file?

A .exnn file is a EnCase® Evidence File Format Version 2 file. EnCase Evidence File Format Version 2 (EXNN) is a forensic evidence container format developed by Guidance Software, now maintained by OpenText. It is used to store disk images and related case data in digital investigations, allowing examiners to preserve and analyze acquired media in EnCase and compatible forensic tools. The format is a legacy variant of the EnCase evidence family; it is generally safe to inspect, but files should be handled as evidentiary material and verified for integrity.

What are the magic bytes for .exnn files?

The magic bytes for EnCase® Evidence File Format Version 2 files are 45 56 46 32 0D 0A 81 at byte offset 0. These bytes uniquely identify the file format regardless of the file extension.

How do I validate a .exnn file?

To validate a .exnn file, read the first bytes of the file and compare them against the known magic bytes (45 56 46 32 0D 0A 81) at offset 0. This is more reliable than checking the file extension alone, as extensions can be renamed.

What is the MIME type for .exnn files?

There is no officially registered MIME type for .exnn files. Systems typically use application/octet-stream as a generic fallback when handling this format.

Is it safe to open .exnn files?

EnCase® Evidence File Format Version 2 (.exnn) files are generally safe to open. They are classified as low risk because they primarily contain data rather than executable code. However, always ensure files come from a trusted source.