Difference between revisions of "Encase hash files"

From ForensicsWiki
Jump to: navigation, search
(Cleaned up and added detail for hash start)
m
Line 1: Line 1:
 
{{Expand}}
 
{{Expand}}
  
'''Encase hash files''' are different from version 3 to versions 4 and 5. Both versions start with the header, in hexadecimal:
+
Although [[EnCase]] can import a variety of [[MD5]] hash file formats, it uses a proprietary format to store its hashes. [[Metadata]] is stored at the hash set level. That is, individual hashes do not contain any information specific to them, but the set as a whole can contain some information. No filenames are stored with the hashsets.
 +
 
 +
Version 3 of [[EnCase]] used a slightly different format than versions 4 and 5. The format for version 6 is not known. Both versions start with the header, in hexadecimal:
  
 
<pre>48 41 53 48 0d 0a ff 00</pre>
 
<pre>48 41 53 48 0d 0a ff 00</pre>

Revision as of 12:47, 27 February 2007

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Although EnCase can import a variety of MD5 hash file formats, it uses a proprietary format to store its hashes. Metadata is stored at the hash set level. That is, individual hashes do not contain any information specific to them, but the set as a whole can contain some information. No filenames are stored with the hashsets.

Version 3 of EnCase used a slightly different format than versions 4 and 5. The format for version 6 is not known. Both versions start with the header, in hexadecimal:

48 41 53 48 0d 0a ff 00

In ASCII, this looks like HASH followed by a newline.

The hashes begin at offset 0x480 in the file.

See also