Difference between revisions of "Encase hash files"

From Forensics Wiki
Jump to: navigation, search
m (Added category)
Line 3: Line 3:
 
Although [[EnCase]] can import a variety of [[MD5]] hash file formats, it uses a proprietary format to store its hashes. [[Metadata]] is stored at the hash set level. That is, individual hashes do not contain any information specific to them, but the set as a whole can contain some information. No filenames are stored with the hashsets.
 
Although [[EnCase]] can import a variety of [[MD5]] hash file formats, it uses a proprietary format to store its hashes. [[Metadata]] is stored at the hash set level. That is, individual hashes do not contain any information specific to them, but the set as a whole can contain some information. No filenames are stored with the hashsets.
  
Version 3 of [[EnCase]] used a slightly different format than versions 4 and 5. The format for version 6 is not known. Both versions start with the header, in hexadecimal:
+
Version 3 of [[EnCase]] used a slightly different format than versions 4 and 5. Both versions start with the header, in hexadecimal:
  
 
<pre>48 41 53 48 0d 0a ff 00</pre>
 
<pre>48 41 53 48 0d 0a ff 00</pre>
Line 9: Line 9:
 
In ASCII, this looks like <tt>HASH</tt> followed by a newline.
 
In ASCII, this looks like <tt>HASH</tt> followed by a newline.
  
The hashes begin at offset 0x480 in the file.  
+
The hashes begin at offset 0x480 in the file.
 +
 
 +
 
 +
 
 +
 
 +
A quick look at a hash file created by Encase 6.8.1.8 revealed the following structure (to be verified):
 +
 
 +
 
 +
'''Offset 0x0000 '''
 +
 
 +
A header that consists of the following 16 bytes:
 +
<pre>48 41 53 48 0D 0A FF 00 02 00 00 00 01 00 00 00</pre>
 +
 
 +
 
 +
'''Offset 0x0010'''
 +
 
 +
Count: The number of MD5 sums contained in this file, written as a 4 byte integer in Intel litle endian format (i.e. least significant byte first).
 +
 
 +
 
 +
 
 +
'''Offset 0x0014'''
 +
 
 +
The range from 0x0014 to 0x0457 is filled by zero-bytes. The purpose of this area is unknown.
 +
 
 +
 
 +
 
 +
'''Offset 0x0458'''
 +
 
 +
Category: The text that Encase shows in its column "category". The maximum string length is 19 characters. Each character is written as a 2-byte-Unicode-number. Examples:
 +
 
 +
The latin letter A is represented by the 2 bytes <pre>41 00</pre>
 +
 
 +
The cyrillic letter &#1044; is represented by the 2 bytes <pre>14 04</pre>
 +
 
 +
Again, Intel little endian format is used. The unused space is filled up by zero-bytes.
 +
 
 +
 
 +
 
 +
'''Offset 0x047E'''
 +
 
 +
Two zero-bytes.
 +
 
 +
 
 +
 
 +
'''Offset 0x0480'''
 +
 
 +
Start of the hash entries. Each entry occupies 18 bytes: The hash value itself (16 bytes) followed by 2 zero-bytes. The next entry follows immediately.
 +
 
 +
The file ends with the last hash entry.
 +
 
  
 
== See also ==
 
== See also ==

Revision as of 10:28, 25 January 2008

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Although EnCase can import a variety of MD5 hash file formats, it uses a proprietary format to store its hashes. Metadata is stored at the hash set level. That is, individual hashes do not contain any information specific to them, but the set as a whole can contain some information. No filenames are stored with the hashsets.

Version 3 of EnCase used a slightly different format than versions 4 and 5. Both versions start with the header, in hexadecimal:

48 41 53 48 0d 0a ff 00

In ASCII, this looks like HASH followed by a newline.

The hashes begin at offset 0x480 in the file.



A quick look at a hash file created by Encase 6.8.1.8 revealed the following structure (to be verified):


Offset 0x0000

A header that consists of the following 16 bytes:

48 41 53 48 0D 0A FF 00 02 00 00 00 01 00 00 00


Offset 0x0010

Count: The number of MD5 sums contained in this file, written as a 4 byte integer in Intel litle endian format (i.e. least significant byte first).


Offset 0x0014

The range from 0x0014 to 0x0457 is filled by zero-bytes. The purpose of this area is unknown.


Offset 0x0458

Category: The text that Encase shows in its column "category". The maximum string length is 19 characters. Each character is written as a 2-byte-Unicode-number. Examples:

The latin letter A is represented by the 2 bytes
41 00
The cyrillic letter Д is represented by the 2 bytes
14 04

Again, Intel little endian format is used. The unused space is filled up by zero-bytes.


Offset 0x047E

Two zero-bytes.


Offset 0x0480

Start of the hash entries. Each entry occupies 18 bytes: The hash value itself (16 bytes) followed by 2 zero-bytes. The next entry follows immediately.

The file ends with the last hash entry.


See also