Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1053
  • Last Modified:

Encase Version 5 - Hash analysis

I have to solve a crime related to an extortion incident using Encase version 5 (for educational purpose). I do not know anything about hash analysis.
1. What the heck is it?
2. What does it accomplish?
3. How do i do it?
0
sergeiweerasuriya
Asked:
sergeiweerasuriya
  • 4
  • 3
2 Solutions
 
chris_calabreseCommented:
I'm guessing the meaning here is to take a hash of all the files on the system using e.g. md5 and then comparing against a database of hash values for "interesting" files.

For an extortion case, the database might have hashes for a bunch of documents related to the extortion subject. Then you can use this technique to easily find copies of those documents.

Not sure exactly how you do this in Encase 5.
0
 
sergeiweerasuriyaAuthor Commented:
finding out how to do it in Encase is not difficult, if i knew what files to look for. The documents related to the extortion case are a bunch of email messages. I do not see the point in checking an email message for hash vaues. Lets say i check the hash value of an email file. If i do so what would it tell me about that particular file?
0
 
chris_calabreseCommented:
Yeah, probably no so useful on an email file as much as on an individual email.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
sergeiweerasuriyaAuthor Commented:
what do u mean "not so useful on an email file as much as on an individual email"? what's the difference between an email file an an individual email?
0
 
chris_calabreseCommented:
The hash method usually works at the file level. An email file usually has many emails in it.
0
 
sergeiweerasuriyaAuthor Commented:
So when analysing email files what should i look for. Is it only the contents of the email? Some emails seem quite bizzare to me for instance the date created, sent and recieved appear to be the same (same hour,minute and second).
0
 
chris_calabreseCommented:
For an extortion case you'd be looking primarily at content. You'd look at the timestamps and such if you thought that the emails were forged or planted.
0
 
SPOuedCommented:
sergeiweerasuriya,
I've used encase (in testing only), and the "hash" being referred to seems to me to be the value which you need to use when comparing the original data to the duplicated one to insure integrity. Encase usually works by creating an exact duplicate of the data (without leaving any trace) being investigated. If you're to take a case to court, the court would like to know that the data from which you've acquired evidence has not been altered, meaning you'll need a hash to check the integrity.
So, in a nutshell, hash analysis, is just about making sure you have an exact duplicate of the original data...
Hope this helps...
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now