O'Reilly logo

EnCE EnCase Computer Forensics: The Official EnCase Certified Examiner Study Guide, 3rd Edition by Steve Bunting

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Evidence File Components and Function

An EnCase evidence file has three major components: the header, the data blocks, and the file integrity component (CRC and MD5/SHA-1). The header will appear on the front end of the evidence file, and the data blocks follow the header. The file integrity component exists throughout and provides redundant levels of file integrity.

Each compartment has its own integrity seal, and the header is sealed with its own CRC. Each data block is verified with its own CRC. The entire data block section is subjected to an MD5/SHA-1 hash, called an acquisition hash, which is appended after the data blocks. The header and all CRCs are not included in this MD5/SHA-1 hash. It is important to understand that the MD5/SHA-1 ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required