FileHash2SQLite will take a tagged set of files and export their MD5 hash values to a SQLite database. The user is presented with an option to use an existing database or create a new. The user will then select or enter the database file name. Lastly, the user will select the tag(s) for matching files. The resulting database has four columns: id, casenum, examiner and hash.

The database collects hash values of notable files (typically malware) and their associated Case Numbers and Examiners. Users can then find previous cases with matching files by searching for a notable hash value.

The SQLite database can be queried using the sqlite3 command line utility with a command line session similar to the one shown below.

C:\>sqlite3 casehashes.sqlite SQLite version 3.8.6 2014-08-15 11:46:33 Enter ".help" for usage hints. sqlite> select * from hashes where hash='2151D58EEBC3A051529C010A548C8953'; 6|ABC123456-01|Dick Jones|2151D58EEBC3A051529C010A548C8953'