±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36595
New Yesterday: 0 Visitors: 157

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

EnCase Hash conversion

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

Passmark
Senior Member
 

EnCase Hash conversion

Post Posted: Jun 18, 12 04:32

Is anyone aware of public code or script to dump the MD5 values from a EnCase hash file into plain text (or CSV).

The file format seems to be semi documented and there was another post stating that it can (and has) been done, but the code doesn't seem to be public.  
 
  

hmorgan
Senior Member
 

Re: EnCase Hash conversion

Post Posted: Jun 18, 12 14:44

- Passmark
Is anyone aware of public code or script to dump the MD5 values from a EnCase hash file into plain text (or CSV).

The file format seems to be semi documented and there was another post stating that it can (and has) been done, but the code doesn't seem to be public.



Its not that complicated a format, once you're past the headers the MD5s are in binary. I've written a program that goes the opposite way.

The number of hashes is stored at offset 16
The hash set name is at 1032, the category is at 1112, the hashes start at 1152, 16 bytes long and are separated by two null bytes.

also, could you just not export the hashes from within encase.  
 
  

Passmark
Senior Member
 

Re: EnCase Hash conversion

Post Posted: Jun 19, 12 03:54

Yes, I had a look at the format. It doesn't seem too complicated. I was just trying to save an hour writing a testing some code.

I don't have EnCase, just a hash set from EnCase.  
 
  

JLEllis
Member
 

Re: EnCase Hash conversion

Post Posted: Jun 21, 12 10:32

- hmorgan
.. also, could you just not export the hashes from within encase.


Encase doesn't seem to support exporting hash sets to .csv, or at least I haven't found a way to do so yet (v.7).

I have come up with a work around using a text editor and word processing software.  
 
  

LukeLuke
Member
 

Re: EnCase Hash conversion

Post Posted: Jun 25, 12 19:17

With encase is 1 minute work. If you want I can help Smile  
 
  

JLEllis
Member
 

Re: EnCase Hash conversion

Post Posted: Jul 09, 12 05:12

- LukeLuke
With encase is 1 minute work. If you want I can help Smile


So, how is it done?  
 
  

hmorgan
Senior Member
 

Re: EnCase Hash conversion

Post Posted: Jul 09, 12 16:53

- JLEllis
- LukeLuke
With encase is 1 minute work. If you want I can help Smile


So, how is it done?


Export them from the Hash items view in hash sets  
 

Page 1 of 2
Page 1, 2  Next