Evidence File Components and Function

An EnCase evidence file has three major components: the header, the data blocks, and the file integrity component (CRC and MD5/SHA-1). The header will appear on the front end of the evidence file, and the data blocks follow the header. The file integrity component exists throughout and provides redundant levels of file integrity.

Each compartment has its own integrity seal, and the header is sealed with its own CRC. Each data block is verified with its own CRC. The entire data block section is subjected to an MD5/SHA-1 hash, called an acquisition hash, which is appended after the data blocks. The header and all CRCs are not included in this MD5/SHA-1 hash. It is important to understand that the MD5/SHA-1 ...

Get EnCE EnCase Computer Forensics: The Official EnCase Certified Examiner Study Guide, 3rd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

EnCE EnCase Computer Forensics: The Official EnCase Certified Examiner Study Guide, 3rd Edition by

Evidence File Components and Function

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly