Logical File Evidence Format (.lnn)

.lnn file signature | application/octet-stream

Logical File Evidence Format (L01) is a segment type within the Expert Witness Compression Format used by Guidance Software’s EnCase forensic suite, originally developed by Guidance Software and later maintained by OpenText. It is used to store logical copies of files and folders for digital forensics, evidence preservation, and analysis in investigation workflows. The format is primarily historical and is considered a legacy evidence container; as with any forensic image, it should be handled carefully to preserve chain of custody.

Safe

Magic Bytes

Offset 0


              4C 56 46 09 0D 0A FF 00

Sources: Gary Kessler

Extension

.lnn

MIME Type

application/octet-stream

Byte Offset

Risk Level

Safe

Validation Code

How to validate .lnn files in Python

Python

def is_lnn(file_path: str) -> bool:
    """Check if file is a valid LNN by magic bytes."""
    signature = bytes([0x4C, 0x56, 0x46, 0x09, 0x0D, 0x0A, 0xFF, 0x00])
    with open(file_path, "rb") as f:
        return f.read(8) == signature

How to validate .lnn files in Node.js

Node.js

function isLNN(buffer: Buffer): boolean {
  const signature = Buffer.from([0x4C, 0x56, 0x46, 0x09, 0x0D, 0x0A, 0xFF, 0x00]);
  return buffer.subarray(0, 8).equals(signature);
}

How to validate .lnn files in Go

func IsLNN(data []byte) bool {
    signature := []byte{0x4C, 0x56, 0x46, 0x09, 0x0D, 0x0A, 0xFF, 0x00}
    if len(data) < 8 {
        return false
    }
    return bytes.Equal(data[:8], signature)
}

API Endpoint

GET /api/v1/lnn


              curl https://filesignature.org/api/v1/lnn

See the full API documentation for all endpoints and parameters.

Frequently Asked Questions

What is a .lnn file?

A .lnn file is a Logical File Evidence Format file. Logical File Evidence Format (L01) is a segment type within the Expert Witness Compression Format used by Guidance Software’s EnCase forensic suite, originally developed by Guidance Software and later maintained by OpenText. It is used to store logical copies of files and folders for digital forensics, evidence preservation, and analysis in investigation workflows. The format is primarily historical and is considered a legacy evidence container; as with any forensic image, it should be handled carefully to preserve chain of custody.

What are the magic bytes for .lnn files?

The magic bytes for Logical File Evidence Format files are 4C 56 46 09 0D 0A FF 00 at byte offset 0. These bytes uniquely identify the file format regardless of the file extension.

How do I validate a .lnn file?

To validate a .lnn file, read the first bytes of the file and compare them against the known magic bytes (4C 56 46 09 0D 0A FF 00) at offset 0. This is more reliable than checking the file extension alone, as extensions can be renamed.

What is the MIME type for .lnn files?

There is no officially registered MIME type for .lnn files. Systems typically use application/octet-stream as a generic fallback when handling this format.

Is it safe to open .lnn files?

Logical File Evidence Format (.lnn) files are generally safe to open. They are classified as low risk because they primarily contain data rather than executable code. However, always ensure files come from a trusted source.