±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35880
New Yesterday: 7 Visitors: 135

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

encase weirdness

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Beetle
Senior Member
 

encase weirdness

Post Posted: Jun 18, 08 20:06

I recently was working with a large number of dbx files. Using version 6.7.0.13.

I hashed the dbx files in encase before exporting the dbx files for further processing. I discovered that the hashes of the exported dbx files did not match the hashes generated by encase. By further experimentation, I found that encase was generating the same hash as the original file on the original media but when exporting the dbx file from the image, or even the original media, in some way the file changed resulting in a different hash value. This is only applicable to dbx and pst files as I tested a number of other file types from different media and images and got the same hash mismatches for the dbx and pst files only. The hashes of the copied out files were verified with FTK and Winhex.

It appears that encase is doing something to the mail files

Any thoughts?  
 
  

_nik_
Senior Member
 

Re: encase weirdness

Post Posted: Jun 18, 08 21:46

Actually Encase is doing the right things.
When exporting, check the "initialized file size" check box and things should work. On the EnSace support portal there's a pps about the initialized file size in the knowledge base.  
 
  

Beetle
Senior Member
 

Re: encase weirdness

Post Posted: Jun 18, 08 22:07

I had already tried that, no difference in behaviour, just different hashes.

Upon further checking with a newer version of encase (6.8) it seems the problem is isolated to this specific version.  
 
  

_nik_
Senior Member
 

Re: encase weirdness

Post Posted: Jun 19, 08 01:34

Strange - is there encryption enabled?  
 
  

Beetle
Senior Member
 

Re: encase weirdness

Post Posted: Jun 20, 08 02:55

Tracked down the problem with some help from Guidance's tech support. It has to do with way that the current version of encase handles the NTFS initialized size. Seems that you need to make sure that the check boxes for the search function and the copy/unerase to use the initialized size are set in order to have encase export the files with consistant hashes. I don't recall the previous version(s) having these options.

Guidance software has a powerpoint on this on their site.  
 

Page 1 of 1