Hash List Importer
This script is designed to read one or more hash-items from a text-file and write them into a user-nominated hash-set in a new hash-library or a sorted binary file. See below for more details regarding the latter option.
If the standard import-option is chosen, the import-file must have the following four fields without a header-row:
- Logical Size
- SHA-1 Hash
The name or logical-size fields may be left empty, but if the hash-library output-option has been chosen, either or both of the MD-5 and SHA-1 fields must contain a value, which must be 16 or 20-bytes (32 or 40-characters) in length respectively. If the option to output to a binary file has been chosen, the MD-5 hash-value must be present (the SHA-1 hash-value won't be used).
The following YouTube video shows how to use the standard import option:
If the NSRL import option is chosen, the script will require the import-file to be called 'NSRLFile.txt'. This file must have the standard NSRL header-row plus the following fields:
Regardless of the format, both input files must have Windows carriage-return line-feed (\x0d\x0a) endings.
If the hash-library output-option is taken, the examiner must specify an empty folder into which the resultant library will be written; also. the name and category of the single hash-set which will house the newly-imported items in the library.
The NSRL-import option is primarily designed to create a hash-library from the minimal NSRL hash-set, one that can be used to exclude known (innocuous) files. Accordingly, the script will only use the file-name, file-size, MD-5 and SHA-1 information if this option is chosen.
It worth noting that trying to import duplicate hash values like those contained in the full NSRL hash-set (also, some of the other NSRL hash-sets, e.g., that for Android) will result in errors and increase processing time dramatically.
In an effort to overcome this, when processing an NSRL hash-set, the script will skip the current hash if it's the same as the previous one. This works well provided the hash-set is sorted, which is currently the case.
Note that in order to save time, the script will not report the successful import of every value from an NSRL hash-set. It will instead provide summary information and an ETA in the status bar.
Once the hash-library has been created, the examiner can use the Hash Libraries option on the EnCase Case menu to set the new hash library as the current case's primary or secondary library. It's also possible to use the Manage Hash Library option on the Tools menu in order to import the hash-set from the newly created library into another library.
It's important to note that it's not possible to remove a hash-set once it's been added to a hash-library. To overcome this, it's necessary to import the desired hash-set(s) into a new library whilst excluding the remainder.
The option to output a binary file is designed to be used in conjunction with the Binary Hash-List Analysis EnScript, which may provide a faster method of identifying those items with MD-5 hash values that either are, or are not, in a sorted binary list-file. The binary file produced by the script will contain nothing but the sorted, concatenated MD-5 hash-values in binary format; no other metadata will be present.
Should the examiner need to quickly identify files from a known set (e.g., confidential company documents), use of the Matching File Analysis EnScript is recommended:
This script calculates hash values on demand but only if the file being checked has a logical size matching that of one of the target files. This makes it much faster and removes the need to hash files beforehand.
This script was developed for use in EnCase training. For more details, please click the following link:Download Now