Encase hash map

From ForensicsWiki
Revision as of 17:29, 1 November 2010 by Jessek (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

40px-Ambox warning pn.png

This article, and others, needs to be wikified.
Please remove this template after wikifying.

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

The EnCase suite of tools can generate 'hash maps', or 'EnMap' files, which allow users to identify chunks of files when the whole file is not available. This data is stored in a file with a .EnMap extension and contains piecewise MD5 hashes of the file. Each EnMap file has the following format:

The file has an ASCII header, ENMAP V4, or in hex 45 4e 4d 41 50 20 56 34 0b 00 00 00.

This is followed by a Unicode representation of the original filename.

There is then an MD5 hash of the entire file. This hash is followed by three bytes of zeros, and then a hexadecimal representation of each piecewise hash.

Many computer forensic programs, especially the all-in-one suites, use their own file formats to store information.