Forums
Main Category
General (Technical,...
EnCase Hash convers...
 
Notifications
Clear all

EnCase Hash conversion

 
Page 1 / 2
General (Technical, Procedural, Software, Hardware etc.)
Last Post by EricZimmerman 11 years ago
11 Posts
7 Users
0 Reactions
2,585 Views
RSS
Passmark
 Passmark
(@passmark)
Reputable Member
Joined: 14 years ago
Posts: 376
Topic starter 18/06/2012 5:32 am  

Is anyone aware of public code or script to dump the MD5 values from a EnCase hash file into plain text (or CSV).

The file format seems to be semi documented and there was another post stating that it can (and has) been done, but the code doesn't seem to be public.


   
Quote
 AngryBadger
(@angrybadger)
Estimable Member
Joined: 18 years ago
Posts: 164
18/06/2012 3:44 pm  

Is anyone aware of public code or script to dump the MD5 values from a EnCase hash file into plain text (or CSV).

The file format seems to be semi documented and there was another post stating that it can (and has) been done, but the code doesn't seem to be public.

Its not that complicated a format, once you're past the headers the MD5s are in binary. I've written a program that goes the opposite way.

The number of hashes is stored at offset 16
The hash set name is at 1032, the category is at 1112, the hashes start at 1152, 16 bytes long and are separated by two null bytes.

also, could you just not export the hashes from within encase.


   
ReplyQuote
Passmark
 Passmark
(@passmark)
Reputable Member
Joined: 14 years ago
Posts: 376
Topic starter 19/06/2012 4:54 am  

Yes, I had a look at the format. It doesn't seem too complicated. I was just trying to save an hour writing a testing some code.

I don't have EnCase, just a hash set from EnCase.


   
ReplyQuote
 JLEllis
(@jlellis)
Active Member
Joined: 14 years ago
Posts: 16
21/06/2012 11:32 am  

.. also, could you just not export the hashes from within encase.

Encase doesn't seem to support exporting hash sets to .csv, or at least I haven't found a way to do so yet (v.7).

I have come up with a work around using a text editor and word processing software.


   
ReplyQuote
 LukeLuke
(@lukeluke)
Eminent Member
Joined: 15 years ago
Posts: 28
25/06/2012 8:17 pm  

With encase is 1 minute work. If you want I can help )


   
ReplyQuote
 JLEllis
(@jlellis)
Active Member
Joined: 14 years ago
Posts: 16
09/07/2012 6:12 am  

With encase is 1 minute work. If you want I can help )

So, how is it done?


   
ReplyQuote
 AngryBadger
(@angrybadger)
Estimable Member
Joined: 18 years ago
Posts: 164
09/07/2012 5:53 pm  

With encase is 1 minute work. If you want I can help )

So, how is it done?

Export them from the Hash items view in hash sets


   
ReplyQuote
 JLEllis
(@jlellis)
Active Member
Joined: 14 years ago
Posts: 16
09/07/2012 8:42 pm  

With encase is 1 minute work. If you want I can help )

So, how is it done?

Export them from the Hash items view in hash sets

All I have is Encase 7. I haven't been able to figure out how to do this.


   
ReplyQuote
 Hvva
(@hvva)
Active Member
Joined: 18 years ago
Posts: 14
05/07/2013 7:26 am  

In case anyone else finds this thread - exporting hash sets from EnCase
(Tested in EnCase 6)

Click on View -> Hash Sets
Check the sets to export
View -> Hash Sets Subtabs -> Hash Items
Check the items to export
Edit -> Export

Make sure to select 'hash' in the export field.


   
ReplyQuote
 Cottondale
(@cottondale)
Active Member
Joined: 12 years ago
Posts: 17
11/03/2014 11:42 pm  

I too am having an issue with this. Were you able to successfully export the .hash file as a .txt file? I exported the hash file using EnCase v7, and it gave me an output of several bin files, but none appeared to be of the format required for a txt file


   
ReplyQuote
Page 1 / 2
Forum Jump:
  Previous Topic
Next Topic  
Share: