EnCase hash map

From Just Solve the File Format Problem
(Difference between revisions)
Jump to: navigation, search
(Created page with "{{FormatInfo |formattype=electronic |subcat=Forensics and Law Enforcement }} The '''EnCase hash map''' is used by the Encase forensic software (early versions are known as...")
 
(Updating Forensics Wiki links)
 
(2 intermediate revisions by 2 users not shown)
Line 3: Line 3:
 
|subcat=Forensics and Law Enforcement
 
|subcat=Forensics and Law Enforcement
 
}}
 
}}
The '''[[EnCase hash map]]''' is used by the Encase forensic software (early versions are known as Expert Witness) to store hash tables of data stored for the purpose of investigation, such as files and disk images taken from suspect hard drives.
+
The '''EnCase hash map''' is used by the Encase forensic software (early versions are known as Expert Witness) to store hash tables of data stored for the purpose of investigation, such as files and disk images taken from suspect hard drives.
  
 
== File identification ==
 
== File identification ==
Line 14: Line 14:
  
 
== Links ==
 
== Links ==
* [http://www.forensicswiki.org/wiki/Encase_hash_map Forensics wiki page on hash map]
+
* [{{ForensicsWikiURL|encase_hash_map}} Forensics wiki page on hash map]
* [http://www.forensicswiki.org/wiki/EnCase Forensics wiki page on EnCase]
+
* [{{ForensicsWikiURL|encase}} Forensics wiki page on EnCase]
 
* [http://clientui-kb.symantec.com/resources/sites/BUSINESS/content/live/TECHNICAL_SOLUTION/136000/TECH136997/en_US/358082.pdf EnCase Ingest Connector Implementation Guide]
 
* [http://clientui-kb.symantec.com/resources/sites/BUSINESS/content/live/TECHNICAL_SOLUTION/136000/TECH136997/en_US/358082.pdf EnCase Ingest Connector Implementation Guide]
 
* [http://www.evolvediscovery.com/technology/encase_forensics.php EnCase forensics description]
 
* [http://www.evolvediscovery.com/technology/encase_forensics.php EnCase forensics description]
 +
* [https://github.com/volatilityfoundation/volatility/wiki/EWF-Address-Space EWF Address Space]

Latest revision as of 13:24, 2 September 2023

File Format
Name EnCase hash map
Ontology

The EnCase hash map is used by the Encase forensic software (early versions are known as Expert Witness) to store hash tables of data stored for the purpose of investigation, such as files and disk images taken from suspect hard drives.

[edit] File identification

The file begins with the hex header 45 4e 4d 41 50 20 56 34 0b 00 00 00, which spells ENMAP V4 in ASCII. (That's presumably for version 4; other versions may differ.)

[edit] Format

The MD5 hash format is used. A hash of the entire file is stored, followed by three zero bytes and then piecewise file-part hashes. The entire-file hash is preceded by the header given above, then the original filename in Unicode.

[edit] Links

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox