Encase - Compare .E...
 
Notifications
Clear all

Encase - Compare .E01 files  

  RSS
clever_duck
(@clever_duck)
New Member

Hello,

I wanted how can I compare 2 .E01 files in encase. Basically I need to know what the difference is between them.

Need to know where exactly the differences is.

Is it possible?

Thanks.

Quote
Posted : 22/04/2014 8:58 pm
krishna
(@krishna)
Junior Member

hi,

do u mean the structure of two .e01 files or the content of the .eo2 files. each file of the encase is the chunk of the data choosen by the user either to be 640 mb or more than that. please clarify what u want to compare

ReplyQuote
Posted : 22/04/2014 9:31 pm
clever_duck
(@clever_duck)
New Member

Hello,

Thanks for the reply, It's the content I want to know.

Basically, I have an SD card which has an OS on. Booted up into it and turned it off, then acquired it using Encase. I then booted it up again and turned it off, and acquired it again. The hash values are different.

I expected something to change but now I want to know what has changed between them both. So can I do a comparison to see if something is the same ignore it, and the differences show.

Just need to know what's changed and where it's located.

ReplyQuote
Posted : 22/04/2014 9:53 pm
jhup
 jhup
(@jhup)
Community Legend

Create a hash set of all the items in one image.

Then compare it to the hashes of the second.

This is basic. So basic, that looking at your previous posts, this appears more and more like a sophomore forensics class homework assignment.

What version of EnCase the school is using?

ReplyQuote
Posted : 23/04/2014 12:16 am
clever_duck
(@clever_duck)
New Member

Create a hash set of all the items in one image.

Then compare it to the hashes of the second.

This is basic. So basic, that looking at your previous posts, this appears more and more like a sophomore forensics class homework assignment.

What version of EnCase the school is using?

Nope not homework at all. Its for a project that I am doing.

Using Encase 6 I believe its 6.19.6

ReplyQuote
Posted : 23/04/2014 2:58 am
jhup
 jhup
(@jhup)
Community Legend

Still, my suggestion is the right path.

Create a hash set of all the items in one image.

Then compare it to the hashes of the second.

This is basic. So basic, that looking at your previous posts, this appears more and more like a sophomore forensics class homework assignment.

What version of EnCase the school is using?

Nope not homework at all. Its for a project that I am doing.

Using Encase 6 I believe its 6.19.6

ReplyQuote
Posted : 23/04/2014 6:09 am
a.nham
(@a-nham)
Junior Member

As jhup said already, checking the hash of each file for change is probably the first approach you should try. If you don't find change, check out the boot record, probably fat table hash since its sd card (often things like drive name changes). If you still can't find a difference in those file hashes, you may want to look at unallocated space hashing by sector or clusters. But that is usually not the case, as that is often forceful hiding of data, and is a sudden jump in complexity.

ReplyQuote
Posted : 23/04/2014 7:44 am
mscotgrove
(@mscotgrove)
Senior Member

My simple approach would be to expand both files to a DD format and then do a DOS compare, ie

cfc /b

A different hash value can be any reason from a single bit change to 99.999% different!

If the E01 file is in many parts, you want to narrow it down by checking the hash value on each E01 section.

ReplyQuote
Posted : 23/04/2014 7:17 pm
Share: