The EnCase Evidence File Components and Function

The EnCase evidence file arrangement has what is described as “bag-and-tag” information which consists of information pertaining to case in the header of the file. In addition to the case information data, the image file also contains data and file integrity. Data and file integrity are very important when it come to ensuring the integrity and the proper authentication of the evidence image for court purposes. Message Digest 5 (MD5) and Cyclical Redundancy Check (CRC) are two functions that are used to provide these mechanisms within the EnCase evidence file.

MD5 is an algorithm that is used to verify data integrity through the creation of a 128-bit message digest from data input that is claimed to be as unique to that specific data as a fingerprint is to the specific individual. The result of the calculation is a 128-bit hexadecimal value which provides a number of possible values consisting of 2 ^128. This means that the odds of two files having the same MD5 value is 1 in 2^128. Because the chances are statically remote, the forensic community has adopted and accepted MD5 sufficient for forensic authentication.

CRC is similar in function and purpose to the MD5. The CRC algorithm results in a 32-bit hexadecimal value.

An EnCase evidence file has tree major components: the header, the data blocks and the file integrity component (CRC and MD5). The header will appear on the front end of the evidence file and the data blocks follow the header.

Any additional contribution towards this topic will help for those attempting to obtain the EnCE.