SANS Digital Forensics and Incident Response Blog: Tag - Hash Set

Extracting Known Bad Hash Set From NSRL

Hash filtering is a time-saving technique for a computer forensics examiner when working on a huge disk image. In a nutshell, this technique can filter out all those files in your image that belong to the operating system or well-known software packages. This will let the examiner focus on unknown files, reducing the scope of the investigation. After all, there's no point in spending time checking files we already know.

This filtering operation is based on hashes. Usually, we calculate the hash for every file in the image and check it against a list of hashes previously calculated over known good files. We call this list the known good hash set. All files with hashes matching the list are filtered out.

On the other hand, we would like to know if there are malicious files in our computer forensics case image. Again, the technique works by calculating the hash for every file in the image, looking for matches in a list containing pre-calculated hashes for known malicious

... Continue reading Extracting Known Bad Hash Set From NSRL


PTK HASH SET MANAGER

Both the free version and the commercial version of the PTK project, equipped with an appliance, are constantly developing. PTK is now able to thoroughly and accurately manage the hash libraries thus rendering investigation processes faster and easier. At the moment, PTK is working with hash libraries in Haskeeper format or is importing only those hash values known to the investigator. PTK doesn't just create hash sets checking them as GOOD or BAD but offers the possibility to create new personalized sets and chooses, given the case, the most appropriate set for the lookup operation. The screenshot below shows how it is possible to create three different hash sets (such as for example INFECTED, SYSTEM, STOLEN )

...