Is anyone aware of public code or script to dump the MD5 values from a EnCase hash file into plain text (or CSV).
The file format seems to be semi documented and there was another post stating that it can (and has) been done, but the code doesn't seem to be public.
Is anyone aware of public code or script to dump the MD5 values from a EnCase hash file into plain text (or CSV).
The file format seems to be semi documented and there was another post stating that it can (and has) been done, but the code doesn't seem to be public.
Its not that complicated a format, once you're past the headers the MD5s are in binary. I've written a program that goes the opposite way.
The number of hashes is stored at offset 16
The hash set name is at 1032, the category is at 1112, the hashes start at 1152, 16 bytes long and are separated by two null bytes.
also, could you just not export the hashes from within encase.
Yes, I had a look at the format. It doesn't seem too complicated. I was just trying to save an hour writing a testing some code.
I don't have EnCase, just a hash set from EnCase.
.. also, could you just not export the hashes from within encase.
Encase doesn't seem to support exporting hash sets to .csv, or at least I haven't found a way to do so yet (v.7).
I have come up with a work around using a text editor and word processing software.
With encase is 1 minute work. If you want I can help )
With encase is 1 minute work. If you want I can help )
So, how is it done?
With encase is 1 minute work. If you want I can help )
So, how is it done?
Export them from the Hash items view in hash sets
With encase is 1 minute work. If you want I can help )
So, how is it done?
Export them from the Hash items view in hash sets
All I have is Encase 7. I haven't been able to figure out how to do this.
In case anyone else finds this thread - exporting hash sets from EnCase
(Tested in EnCase 6)
Click on View -> Hash Sets
Check the sets to export
View -> Hash Sets Subtabs -> Hash Items
Check the items to export
Edit -> Export
Make sure to select 'hash' in the export field.
I too am having an issue with this. Were you able to successfully export the .hash file as a .txt file? I exported the hash file using EnCase v7, and it gave me an output of several bin files, but none appeared to be of the format required for a txt file