EnCase hash map

From Just Solve the File Format Problem
Revision as of 16:17, 1 June 2020 by Mark0 (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
File Format
Name EnCase hash map
Ontology

The EnCase hash map is used by the Encase forensic software (early versions are known as Expert Witness) to store hash tables of data stored for the purpose of investigation, such as files and disk images taken from suspect hard drives.

File identification

The file begins with the hex header 45 4e 4d 41 50 20 56 34 0b 00 00 00, which spells ENMAP V4 in ASCII. (That's presumably for version 4; other versions may differ.)

Format

The MD5 hash format is used. A hash of the entire file is stored, followed by three zero bytes and then piecewise file-part hashes. The entire-file hash is preceded by the header given above, then the original filename in Unicode.

Links

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox