Encase hash files

From ForensicsWiki
Revision as of 11:47, 27 February 2007 by Jessek (Talk | contribs)

Jump to: navigation, search

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Although EnCase can import a variety of MD5 hash file formats, it uses a proprietary format to store its hashes. Metadata is stored at the hash set level. That is, individual hashes do not contain any information specific to them, but the set as a whole can contain some information. No filenames are stored with the hashsets.

Version 3 of EnCase used a slightly different format than versions 4 and 5. The format for version 6 is not known. Both versions start with the header, in hexadecimal:

48 41 53 48 0d 0a ff 00

In ASCII, this looks like HASH followed by a newline.

The hashes begin at offset 0x480 in the file.

See also