This script is designed to read one or more hash-items from a text-file and write them into a user-nominated hash-set in a new hash-library or a sorted binary file. See below for information about the latter option.

If the standard import-option is chosen, the import-file must have Windows carriage-return line-feed (\x0d\x0a) endings and the following four fields without a header-row:

• Name
• Logical Size
• MD5-Hash
• SHA-1 Hash

The name or logical-size fields may be left empty, but if the hash-library output-option has been chosen, either or both of the MD-5 and SHA-1 fields must contain a value, which must be 16 or 20-bytes (32 or 40-characters) in length respectively. If the option to output to a binary file has been chosen, the MD-5 hash-value must be present (the SHA-1 hash-value won’t be used).

The following YouTube video shows how to use the standard import option:

• https://www.youtube.com/watch?v=Z7JiIXRR7-g

If the NSRL import option is chosen, the script will expect the import-file to be a minimal RDSv3 hash-set having a *.db file extension.

The NSRL-import option is designed to create a hash-library that can be used to exclude known (innocuous) files.

If the hash-library output-option is taken, the examiner must specify an empty folder into which the resultant library will be written; also, the name and category of the single hash-set which will house the newly-imported items in the library.

It worth noting that trying to import duplicate hash values will result in errors and increase processing time dramatically - an EnCase hash library cannot contain duplicate hashes.

Note that in order to save time, the script will not report the successful import of every value from an NSRL hash-set. It will instead provide feedback in the status bar.

For RDSv3 hash-sets, this feedback will consist solely of the number of hash items read. This is because the time needed to count the distinct hash values is not conducive to providing as estimated time to completion. That said, the readme.txt file accompanying the hash-set should provide that count.

Once the hash-library has been created, the examiner can use the Hash Libraries option on the EnCase Case menu to set the new hash library as the current case’s primary or secondary library. It’s also possible to use the Manage Hash Library option on the Tools menu in order to import the hash-set from the newly created library into another library.

It’s important to note that it’s not possible to remove a hash-set once it’s been added to a hash-library. To overcome this, it’s necessary to import the desired hash-set(s) into a new library whilst excluding the remainder.

The option to output a binary file is designed to be used in conjunction with the Binary Hash-List Analysis EnScript, which may provide a faster method of identifying those items with MD-5 hash values that either are, or are not, in a sorted binary list-file. The binary file produced by the script will contain nothing but the sorted, concatenated MD-5 hash-values in binary format; no other metadata will be present.

Should the examiner need to quickly identify files from a known set (e.g., confidential company documents), use of the Matching File Analysis EnScript is recommended:

• https://security.opentext.com/appDetails/Matching-File-Analysis

This script calculates hash values on demand but only if the file being checked has a logical size matching that of one of the target files. This makes it much faster and removes the need to hash files beforehand.

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training