Difference between revisions of "Encase hash files"

From ForensicsWiki
Jump to: navigation, search
m
m (Added category)
Line 14: Line 14:
  
 
* [[EnCase]]
 
* [[EnCase]]
 +
 +
[[Category:Forensics File Format]]

Revision as of 08:10, 8 April 2007

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Although EnCase can import a variety of MD5 hash file formats, it uses a proprietary format to store its hashes. Metadata is stored at the hash set level. That is, individual hashes do not contain any information specific to them, but the set as a whole can contain some information. No filenames are stored with the hashsets.

Version 3 of EnCase used a slightly different format than versions 4 and 5. The format for version 6 is not known. Both versions start with the header, in hexadecimal:

48 41 53 48 0d 0a ff 00

In ASCII, this looks like HASH followed by a newline.

The hashes begin at offset 0x480 in the file.

See also