EnCase hash map
From Just Solve the File Format Problem
(Difference between revisions)
Dan Tobias (Talk | contribs) (→Links) |
(Updating Forensics Wiki links) |
||
(One intermediate revision by one user not shown) | |||
Line 3: | Line 3: | ||
|subcat=Forensics and Law Enforcement | |subcat=Forensics and Law Enforcement | ||
}} | }} | ||
− | The ''' | + | The '''EnCase hash map''' is used by the Encase forensic software (early versions are known as Expert Witness) to store hash tables of data stored for the purpose of investigation, such as files and disk images taken from suspect hard drives. |
== File identification == | == File identification == | ||
Line 14: | Line 14: | ||
== Links == | == Links == | ||
− | * [ | + | * [{{ForensicsWikiURL|encase_hash_map}} Forensics wiki page on hash map] |
− | * [ | + | * [{{ForensicsWikiURL|encase}} Forensics wiki page on EnCase] |
* [http://clientui-kb.symantec.com/resources/sites/BUSINESS/content/live/TECHNICAL_SOLUTION/136000/TECH136997/en_US/358082.pdf EnCase Ingest Connector Implementation Guide] | * [http://clientui-kb.symantec.com/resources/sites/BUSINESS/content/live/TECHNICAL_SOLUTION/136000/TECH136997/en_US/358082.pdf EnCase Ingest Connector Implementation Guide] | ||
* [http://www.evolvediscovery.com/technology/encase_forensics.php EnCase forensics description] | * [http://www.evolvediscovery.com/technology/encase_forensics.php EnCase forensics description] | ||
* [https://github.com/volatilityfoundation/volatility/wiki/EWF-Address-Space EWF Address Space] | * [https://github.com/volatilityfoundation/volatility/wiki/EWF-Address-Space EWF Address Space] |
Latest revision as of 13:24, 2 September 2023
The EnCase hash map is used by the Encase forensic software (early versions are known as Expert Witness) to store hash tables of data stored for the purpose of investigation, such as files and disk images taken from suspect hard drives.
[edit] File identification
The file begins with the hex header 45 4e 4d 41 50 20 56 34 0b 00 00 00
, which spells ENMAP V4
in ASCII. (That's presumably for version 4; other versions may differ.)
[edit] Format
The MD5 hash format is used. A hash of the entire file is stored, followed by three zero bytes and then piecewise file-part hashes. The entire-file hash is preceded by the header given above, then the original filename in Unicode.