Difference between revisions of "Encase hash files"
From Forensics Wiki
m |
m (Added category) |
||
| Line 14: | Line 14: | ||
* [[EnCase]] | * [[EnCase]] | ||
| + | |||
| + | [[Category:Forensics File Format]] | ||
Revision as of 07:10, 8 April 2007
|
|
Please help to improve this article by expanding it.
|
Although EnCase can import a variety of MD5 hash file formats, it uses a proprietary format to store its hashes. Metadata is stored at the hash set level. That is, individual hashes do not contain any information specific to them, but the set as a whole can contain some information. No filenames are stored with the hashsets.
Version 3 of EnCase used a slightly different format than versions 4 and 5. The format for version 6 is not known. Both versions start with the header, in hexadecimal:
48 41 53 48 0d 0a ff 00
In ASCII, this looks like HASH followed by a newline.
The hashes begin at offset 0x480 in the file.
