EnCase hash map
From Just Solve the File Format Problem
(Difference between revisions)
Dan Tobias (Talk | contribs) (Created page with "{{FormatInfo |formattype=electronic |subcat=Forensics and Law Enforcement }} The '''EnCase hash map''' is used by the Encase forensic software (early versions are known as...") |
Dan Tobias (Talk | contribs) (→Links) |
||
Line 18: | Line 18: | ||
* [http://clientui-kb.symantec.com/resources/sites/BUSINESS/content/live/TECHNICAL_SOLUTION/136000/TECH136997/en_US/358082.pdf EnCase Ingest Connector Implementation Guide] | * [http://clientui-kb.symantec.com/resources/sites/BUSINESS/content/live/TECHNICAL_SOLUTION/136000/TECH136997/en_US/358082.pdf EnCase Ingest Connector Implementation Guide] | ||
* [http://www.evolvediscovery.com/technology/encase_forensics.php EnCase forensics description] | * [http://www.evolvediscovery.com/technology/encase_forensics.php EnCase forensics description] | ||
+ | * [https://github.com/volatilityfoundation/volatility/wiki/EWF-Address-Space EWF Address Space] |
Revision as of 03:11, 5 June 2015
The EnCase hash map is used by the Encase forensic software (early versions are known as Expert Witness) to store hash tables of data stored for the purpose of investigation, such as files and disk images taken from suspect hard drives.
File identification
The file begins with the hex header 45 4e 4d 41 50 20 56 34 0b 00 00 00
, which spells ENMAP V4
in ASCII. (That's presumably for version 4; other versions may differ.)
Format
The MD5 hash format is used. A hash of the entire file is stored, followed by three zero bytes and then piecewise file-part hashes. The entire-file hash is preceded by the header given above, then the original filename in Unicode.