Evidence File Verification
At this point, you know that when EnCase creates an evidence file, it calculates CRC values for its header and each block of data. Additionally, it calculates an MD5/SHA-1 value for the data only. No other data (header, CRC, metadata, and so on) is included in this MD5/SHA-1 hash. If you were to use a third-party tool to calculate an MD5 and/or SHA-1 hash of the device imaged by EnCase, the MD5 and/or SHA-1 hashes should match. If EnCase included data other than the target drive in the hash, those values would not match. Thus, it’s important to understand that EnCase calculates the MD5/SHA-1 value from the data contained in the target device only.
Get EnCE EnCase Computer Forensics: The Official EnCase Certified Examiner Study Guide, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
