The header2 section The header2 section consists of a UTF16 string as long as necessary. The character data is compressed by zlib. ( spaces added for readability ) Header2 found in EnCase4 1 \n main \n a c \t n \t e \t t \t av \t ov \t m \t u \t p \n unique description \t case number \t evidence number \t examiner name \t notes \t version \t platform \t acquired date \t system date \t pwhash \n \n unique description, case number, evidence number, examiner name, and notes are free form strings (except for \t and \n) acquired date, and system date are in the form unix time stamp "1142163845", which is March 12 2006, 11:44:05 version is the EnCase version used to acquire the image platform is the operating system used to acquire the image pwhash the password hash should be empty for no password Header2 found in EnCase5 3 \n main \n a \t c \t n \t e \t t \t av \t ov \t m \t u \t p \t dc \n unique description \t case number \t evidence number \t examiner name \t notes \t version \t platform \t acquired date \t system date \t pwhash \t ? \n \n srce \n 0 1 \n p n id ev tb lo po ah gu aq \n 0 0 \n -1 -1 \n \n sub \n 0 1 \n p n id nu co gu \n 0 0 \n 1 \n \n unique description, case number, evidence number, examiner name, and notes are free form strings (except for \t and \n) acquired date, and system date are in the form unix time stamp "1142163845", which is March 12 2006, 11:44:05 version is the EnCase version used to acquire the image platform is the operating system used to acquire the image pwhash the password hash should be empty for no password TODO the remaining values are currently unknown Header2 found in EnCase6 3 \n main \n a \t c \t n \t e \t t \t md \t sn \t av \t ov \t m \t u \t p \t dc \n unique description \t case number \t evidence number \t examiner name \t notes \t model \t serial number \t version \t platform \t acquired date \t system date \t pwhash \t ? \n \n srce \n 0 1 \n p n id ev tb lo po ah gu aq \n 0 0 \n -1 -1 \n \n sub \n 0 1 \n p n id nu co gu \n 0 0 \n 1 \n \n unique description, case number, evidence number, examiner name, notes, model, and serial number are free form strings (except for \t and \n) acquired date, and system date are in the form unix time stamp "1142163845", which is March 12 2006, 11:44:05 version is the EnCase version used to acquire the image platform is the operating system used to acquire the image pwhash the password hash should be empty for no password TODO the remaining values are currently unknown