I recently was working with a large number of dbx files. Using version 6.7.0.13.
I hashed the dbx files in encase before exporting the dbx files for further processing. I discovered that the hashes of the exported dbx files did not match the hashes generated by encase. By further experimentation, I found that encase was generating the same hash as the original file on the original media but when exporting the dbx file from the image, or even the original media, in some way the file changed resulting in a different hash value. This is only applicable to dbx and pst files as I tested a number of other file types from different media and images and got the same hash mismatches for the dbx and pst files only. The hashes of the copied out files were verified with FTK and Winhex.
It appears that encase is doing something to the mail files
Any thoughts?
Actually Encase is doing the right things.
When exporting, check the "initialized file size" check box and things should work. On the EnSace support portal there's a pps about the initialized file size in the knowledge base.
I had already tried that, no difference in behaviour, just different hashes.
Upon further checking with a newer version of encase (6.8) it seems the problem is isolated to this specific version.
Strange - is there encryption enabled?
Tracked down the problem with some help from Guidance's tech support. It has to do with way that the current version of encase handles the NTFS initialized size. Seems that you need to make sure that the check boxes for the search function and the copy/unerase to use the initialized size are set in order to have encase export the files with consistant hashes. I don't recall the previous version(s) having these options.
Guidance software has a powerpoint on this on their site.