Encase - Compare .E...
 
Notifications
Clear all

Encase - Compare .E01 files

8 Posts
5 Users
0 Likes
1,022 Views
(@clever_duck)
Posts: 6
Active Member
Topic starter
 

Hello,

I wanted how can I compare 2 .E01 files in encase. Basically I need to know what the difference is between them.

Need to know where exactly the differences is.

Is it possible?

Thanks.

 
Posted : 22/04/2014 7:58 pm
(@krishna)
Posts: 45
Eminent Member
 

hi,

do u mean the structure of two .e01 files or the content of the .eo2 files. each file of the encase is the chunk of the data choosen by the user either to be 640 mb or more than that. please clarify what u want to compare

 
Posted : 22/04/2014 8:31 pm
(@clever_duck)
Posts: 6
Active Member
Topic starter
 

Hello,

Thanks for the reply, It's the content I want to know.

Basically, I have an SD card which has an OS on. Booted up into it and turned it off, then acquired it using Encase. I then booted it up again and turned it off, and acquired it again. The hash values are different.

I expected something to change but now I want to know what has changed between them both. So can I do a comparison to see if something is the same ignore it, and the differences show.

Just need to know what's changed and where it's located.

 
Posted : 22/04/2014 8:53 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

Create a hash set of all the items in one image.

Then compare it to the hashes of the second.

This is basic. So basic, that looking at your previous posts, this appears more and more like a sophomore forensics class homework assignment.

What version of EnCase the school is using?

 
Posted : 22/04/2014 11:16 pm
(@clever_duck)
Posts: 6
Active Member
Topic starter
 

Create a hash set of all the items in one image.

Then compare it to the hashes of the second.

This is basic. So basic, that looking at your previous posts, this appears more and more like a sophomore forensics class homework assignment.

What version of EnCase the school is using?

Nope not homework at all. Its for a project that I am doing.

Using Encase 6 I believe its 6.19.6

 
Posted : 23/04/2014 1:58 am
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

Still, my suggestion is the right path.

Create a hash set of all the items in one image.

Then compare it to the hashes of the second.

This is basic. So basic, that looking at your previous posts, this appears more and more like a sophomore forensics class homework assignment.

What version of EnCase the school is using?

Nope not homework at all. Its for a project that I am doing.

Using Encase 6 I believe its 6.19.6

 
Posted : 23/04/2014 5:09 am
(@a-nham)
Posts: 32
Eminent Member
 

As jhup said already, checking the hash of each file for change is probably the first approach you should try. If you don't find change, check out the boot record, probably fat table hash since its sd card (often things like drive name changes). If you still can't find a difference in those file hashes, you may want to look at unallocated space hashing by sector or clusters. But that is usually not the case, as that is often forceful hiding of data, and is a sudden jump in complexity.

 
Posted : 23/04/2014 6:44 am
(@mscotgrove)
Posts: 938
Prominent Member
 

My simple approach would be to expand both files to a DD format and then do a DOS compare, ie

cfc /b <file1> <file2>

A different hash value can be any reason from a single bit change to 99.999% different!

If the E01 file is in many parts, you want to narrow it down by checking the hash value on each E01 section.

 
Posted : 23/04/2014 6:17 pm
Share: