This script creates an EnCase hash-library from the VirusShare hash-lists available to download from https://virusshare.com.

The lists are generated from VirusShare.com's collection of malware samples, which are available to download via BitTorrent.

At the time of writing this, the regular VirusTotal hash-lists comprise 370+ files containing a total of 340M+ hashes.

Accordingly, the script will take some time to run. During this time progress can be monitored via the console-window and status-bar.

Please note that the VirusShare.com malware-collection is known to contain some false positives.

Should this prove problematic, the examiner might wish to consider using a second hash-library, one containing an accurate list of known files, e.g., NIST's National Software Reference Library (NSRL).

The Hash List Importer EnScript can be used to create a hash library from the NSRL NDS hash-set, the minimal set being the recommended one.

The Hash Calculator Plugin EnScript can be used to send a file's SHA-256 hash to VirusTotal.

For additional information, please see the following Twitter post:

• https://twitter.com/SimonDCKey/status/1367755055286415361

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training