EnCase hash map

From Just Solve the File Format Problem
(Difference between revisions)
Jump to: navigation, search
(Links)
m (Updated Forensicswiki Links)
Line 14: Line 14:
  
 
== Links ==
 
== Links ==
* [http://www.forensicswiki.org/wiki/Encase_hash_map Forensics wiki page on hash map]
+
* [https://forensicswiki.xyz/wiki/index.php?title=Encase_hash_map Forensics wiki page on hash map]
* [http://www.forensicswiki.org/wiki/EnCase Forensics wiki page on EnCase]
+
* [https://forensicswiki.xyz/wiki/index.php?title=EnCase Forensics wiki page on EnCase]
 
* [http://clientui-kb.symantec.com/resources/sites/BUSINESS/content/live/TECHNICAL_SOLUTION/136000/TECH136997/en_US/358082.pdf EnCase Ingest Connector Implementation Guide]
 
* [http://clientui-kb.symantec.com/resources/sites/BUSINESS/content/live/TECHNICAL_SOLUTION/136000/TECH136997/en_US/358082.pdf EnCase Ingest Connector Implementation Guide]
 
* [http://www.evolvediscovery.com/technology/encase_forensics.php EnCase forensics description]
 
* [http://www.evolvediscovery.com/technology/encase_forensics.php EnCase forensics description]
 
* [https://github.com/volatilityfoundation/volatility/wiki/EWF-Address-Space EWF Address Space]
 
* [https://github.com/volatilityfoundation/volatility/wiki/EWF-Address-Space EWF Address Space]

Revision as of 16:17, 1 June 2020

File Format
Name EnCase hash map
Ontology

The EnCase hash map is used by the Encase forensic software (early versions are known as Expert Witness) to store hash tables of data stored for the purpose of investigation, such as files and disk images taken from suspect hard drives.

File identification

The file begins with the hex header 45 4e 4d 41 50 20 56 34 0b 00 00 00, which spells ENMAP V4 in ASCII. (That's presumably for version 4; other versions may differ.)

Format

The MD5 hash format is used. A hash of the entire file is stored, followed by three zero bytes and then piecewise file-part hashes. The entire-file hash is preceded by the header given above, then the original filename in Unicode.

Links

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox