Difference between pages "Encase hash files" and "Pine Header Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Reworded to be more clear)
 
(Added for case with no hostname)
 
Line 1: Line 1:
{{Expand}}
+
[[Pine]] composes headers in the following format:
  
The [[EnCase]] forensics suite uses a proprietary file format to store sets of known hashes called the '''EnCase hash file format'''. The format stores a set of [[MD5]] hashes and [[metadata]] about the set as a whole. That is, individual hashes do not contain any information specific to them, but the set as a whole can contain some information. In particular, the filename corresponding to each hash is not stored.
+
<pre>Date: Tue, 6 Mar 2007 11:10:36 -0500 (EST)
 +
From: Sender Name <sender@host.com>
 +
To: Getter Name <getter@otherhost.com>
 +
cc: Other Person <somebody@somehost.com>
 +
Subject: The subject text
 +
Message-ID: <Pine.LNX.4.64.0703061056380.29699@host.com></pre>
  
Version 3 of [[EnCase]] used a slightly different format than versions 4 and 5. Both versions start with the header, in hexadecimal:
+
Using the function <tt>generate_message_id</tt> in the file <tt>reply.c</tt> we can see that the format for the Message-ID line is a series of fields separated by periods, followed by the <tt>@</tt> symbol and the hostname of the sending machine. The fields are
  
<pre>48 41 53 48 0d 0a ff 00</pre>
+
# The word <tt>Pine</tt>
 +
# A three letter version of the operating system name (e.g. <tt>LNX</tt> for Linux)
 +
# The major version of Pine
 +
# The minor version of Pine
 +
# A number YYMMDDHHmmssX, Where YY is the last two digits of the year, MM the current month, DD the current day of the month, HH the current hour, mm the current minute, ss the current second, and X is either a zero or one depending on the number of seconds.
 +
# The current process ID number
  
In ASCII, this looks like <tt>HASH</tt> followed by a newline.
+
Note that the timestamp in the Message-Id may not necessarily match the <tt>Date</tt> line.
  
The hashes begin at offset 0x480 in the file.
+
The hostname can be [[ROT-13]] encrypted on some configurations. If the hostname is not defined, the value <tt>huh</tt> will be used.
 
+
A quick look at a hash file created by Encase 6.8.1.8 revealed the following structure (to be verified):
+
 
+
'''Offset 0x0000 '''
+
 
+
A header that consists of the following 16 bytes:
+
<pre>48 41 53 48 0D 0A FF 00 02 00 00 00 01 00 00 00</pre>
+
 
+
'''Offset 0x0010'''
+
 
+
Count: The number of MD5 sums contained in this file, written as a 4 byte integer in Intel litle endian format (i.e. least significant byte first).
+
 
+
 
+
 
+
'''Offset 0x0014'''
+
 
+
The range from 0x0014 to 0x0457 is filled by zero-bytes. The purpose of this area is unknown.
+
 
+
 
+
 
+
'''Offset 0x0458'''
+
 
+
Category: The text that Encase shows in its column "category". The maximum string length is 19 characters. Each character is written as a 2-byte-Unicode-number. Examples:
+
 
+
The latin letter A is represented by the 2 bytes <pre>41 00</pre>
+
 
+
The cyrillic letter &#1044; is represented by the 2 bytes <pre>14 04</pre>
+
 
+
Again, Intel little endian format is used. The unused space is filled up by zero-bytes.
+
 
+
 
+
 
+
'''Offset 0x047E'''
+
 
+
Two zero-bytes.
+
 
+
 
+
 
+
'''Offset 0x0480'''
+
 
+
Start of the hash entries. Each entry occupies 18 bytes: The hash value itself (16 bytes) followed by 2 zero-bytes. The next entry follows immediately.
+
 
+
The file ends with the last hash entry.
+
 
+
 
+
== See also ==
+
 
+
* [[EnCase]]
+
 
+
[[Category:Forensics File Format]]
+

Latest revision as of 14:34, 6 March 2007

Pine composes headers in the following format:

Date: Tue, 6 Mar 2007 11:10:36 -0500 (EST)
From: Sender Name <sender@host.com>
To: Getter Name <getter@otherhost.com>
cc: Other Person <somebody@somehost.com>
Subject: The subject text
Message-ID: <Pine.LNX.4.64.0703061056380.29699@host.com>

Using the function generate_message_id in the file reply.c we can see that the format for the Message-ID line is a series of fields separated by periods, followed by the @ symbol and the hostname of the sending machine. The fields are

  1. The word Pine
  2. A three letter version of the operating system name (e.g. LNX for Linux)
  3. The major version of Pine
  4. The minor version of Pine
  5. A number YYMMDDHHmmssX, Where YY is the last two digits of the year, MM the current month, DD the current day of the month, HH the current hour, mm the current minute, ss the current second, and X is either a zero or one depending on the number of seconds.
  6. The current process ID number

Note that the timestamp in the Message-Id may not necessarily match the Date line.

The hostname can be ROT-13 encrypted on some configurations. If the hostname is not defined, the value huh will be used.