EnCase Hash convers...
 
Notifications
Clear all

EnCase Hash conversion

11 Posts
7 Users
0 Likes
1,448 Views
Passmark
(@passmark)
Posts: 376
Reputable Member
Topic starter
 

Is anyone aware of public code or script to dump the MD5 values from a EnCase hash file into plain text (or CSV).

The file format seems to be semi documented and there was another post stating that it can (and has) been done, but the code doesn't seem to be public.

 
Posted : 18/06/2012 4:32 am
(@angrybadger)
Posts: 164
Estimable Member
 

Is anyone aware of public code or script to dump the MD5 values from a EnCase hash file into plain text (or CSV).

The file format seems to be semi documented and there was another post stating that it can (and has) been done, but the code doesn't seem to be public.

Its not that complicated a format, once you're past the headers the MD5s are in binary. I've written a program that goes the opposite way.

The number of hashes is stored at offset 16
The hash set name is at 1032, the category is at 1112, the hashes start at 1152, 16 bytes long and are separated by two null bytes.

also, could you just not export the hashes from within encase.

 
Posted : 18/06/2012 2:44 pm
Passmark
(@passmark)
Posts: 376
Reputable Member
Topic starter
 

Yes, I had a look at the format. It doesn't seem too complicated. I was just trying to save an hour writing a testing some code.

I don't have EnCase, just a hash set from EnCase.

 
Posted : 19/06/2012 3:54 am
(@jlellis)
Posts: 16
Active Member
 

.. also, could you just not export the hashes from within encase.

Encase doesn't seem to support exporting hash sets to .csv, or at least I haven't found a way to do so yet (v.7).

I have come up with a work around using a text editor and word processing software.

 
Posted : 21/06/2012 10:32 am
(@lukeluke)
Posts: 28
Eminent Member
 

With encase is 1 minute work. If you want I can help )

 
Posted : 25/06/2012 7:17 pm
(@jlellis)
Posts: 16
Active Member
 

With encase is 1 minute work. If you want I can help )

So, how is it done?

 
Posted : 09/07/2012 5:12 am
(@angrybadger)
Posts: 164
Estimable Member
 

With encase is 1 minute work. If you want I can help )

So, how is it done?

Export them from the Hash items view in hash sets

 
Posted : 09/07/2012 4:53 pm
(@jlellis)
Posts: 16
Active Member
 

With encase is 1 minute work. If you want I can help )

So, how is it done?

Export them from the Hash items view in hash sets

All I have is Encase 7. I haven't been able to figure out how to do this.

 
Posted : 09/07/2012 7:42 pm
 Hvva
(@hvva)
Posts: 14
Active Member
 

In case anyone else finds this thread - exporting hash sets from EnCase
(Tested in EnCase 6)

Click on View -> Hash Sets
Check the sets to export
View -> Hash Sets Subtabs -> Hash Items
Check the items to export
Edit -> Export

Make sure to select 'hash' in the export field.

 
Posted : 05/07/2013 6:26 am
(@cottondale)
Posts: 17
Active Member
 

I too am having an issue with this. Were you able to successfully export the .hash file as a .txt file? I exported the hash file using EnCase v7, and it gave me an output of several bin files, but none appeared to be of the format required for a txt file

 
Posted : 11/03/2014 10:42 pm
Page 1 / 2
Share: