I am extracting a file in Logical format from an image using encase to an NTFS partition. When I attemtpt to verify the hash of the exported file, it does not match that of the has in EnCase. This is the same for any file I extract.
Is this because Encase hashes based on the physical disk data rather than only the file data. If so, is there any way of getting an accurate file data only hash from encase?
What file is it? Is it V5 or V6? is the initialized size different from the logical size?
Are you extracting the logical file and perhaps missing the file slack? Try extracting all clusters allocated to the file (physical size). This information will also be displayed in the 'File Extents' tab in EnCase.
To get a hash of the logical file I assume you could bookmark the logical data and hash this for comparison to the exported file.
Old post, but since there was no solution posted…
EnCase hashes files the same way in v5 as in v6 (and exactly the same as all other working hash-analysis programs). It hashes the logical file only (…if we added in file slack to a hash, we'd never be able to build hash libraries!).
Since your evidence file and your exported file are displaying 2 separate MD5 hash values, drag-and-drop the exported file back into evidence and look at both in the Hex View. You'll likely find extra return lines in the exported file. Simple as that.
Hi Logg - there is one difference between V5 and V6 - the initialized size.
("Fast File initialization") you an see it registry hives, PSTs and others.
NTFS and exFat both support that.
If the data of the sectors that have not been written to are non-0 the hash values will disappear.
Hi Nik,
You are right, but that's an operational difference in EnCase, not a difference in its implementation of MD5 (which was at the heart of the original question – hashing a file in evidence and again in its extracted form). Pure and simple MD5 is MD5.
There is no difference _not_one_iota_ in the outcome of any 2 programs on the planet which calculate a file's MD5 hash (given the calculations are made correctly 😉 ).