Hello,
I wanted how can I compare 2 .E01 files in encase. Basically I need to know what the difference is between them.
Need to know where exactly the differences is.
Is it possible?
Thanks.
hi,
do u mean the structure of two .e01 files or the content of the .eo2 files. each file of the encase is the chunk of the data choosen by the user either to be 640 mb or more than that. please clarify what u want to compare
Hello,
Thanks for the reply, It's the content I want to know.
Basically, I have an SD card which has an OS on. Booted up into it and turned it off, then acquired it using Encase. I then booted it up again and turned it off, and acquired it again. The hash values are different.
I expected something to change but now I want to know what has changed between them both. So can I do a comparison to see if something is the same ignore it, and the differences show.
Just need to know what's changed and where it's located.
Create a hash set of all the items in one image.
Then compare it to the hashes of the second.
This is basic. So basic, that looking at your previous posts, this appears more and more like a sophomore forensics class homework assignment.
What version of EnCase the school is using?
Create a hash set of all the items in one image.
Then compare it to the hashes of the second.
This is basic. So basic, that looking at your previous posts, this appears more and more like a sophomore forensics class homework assignment.
What version of EnCase the school is using?
Nope not homework at all. Its for a project that I am doing.
Using Encase 6 I believe its 6.19.6
Still, my suggestion is the right path.
Create a hash set of all the items in one image.
Then compare it to the hashes of the second.
This is basic. So basic, that looking at your previous posts, this appears more and more like a sophomore forensics class homework assignment.
What version of EnCase the school is using?
Nope not homework at all. Its for a project that I am doing.
Using Encase 6 I believe its 6.19.6
As jhup said already, checking the hash of each file for change is probably the first approach you should try. If you don't find change, check out the boot record, probably fat table hash since its sd card (often things like drive name changes). If you still can't find a difference in those file hashes, you may want to look at unallocated space hashing by sector or clusters. But that is usually not the case, as that is often forceful hiding of data, and is a sudden jump in complexity.
My simple approach would be to expand both files to a DD format and then do a DOS compare, ie
cfc /b <file1> <file2>
A different hash value can be any reason from a single bit change to 99.999% different!
If the E01 file is in many parts, you want to narrow it down by checking the hash value on each E01 section.