Digital Forensic Scientist

1 minute read

I managed to get a hold of a list of known-bad hashes to use in an experiment. The hashes, however, were in EnCase ".hash" format.

I am mostly using the SleuthKit's hfind to do some hash comparisons. My setup could already use the NSRL hash sets with no problem, and TSK is supposed to support EnCase hash sets. I was able to create an index for the EnCase hash sets, but when I attempted to query, I would get an error:

Command: hfind db.hash [hash value] 
Error: "Cannot determine hash database type (hdb_setupindx: Unknown 
Database Type in index header: encase)

No responses when asking about the error on the mailing list, so I looked for other ways to access the hashes.

Finally, I came across Jesse Kornblum's EnCase hash file converter (encase2txt). The tool built fine in Linux (Ubuntu), and the Windows binary worked with no issue on Windows 7 (64bit).

Just point the tool at the EnCase hash database and it will output all the hashes in a format like md5sum. Pipe this plain text output to a file, and you have an md5sum hash file. From this I was able to build the index (hfind -i md5sum hashes.md5) and query the database with no problems.

Thanks Jesse!

You may also enjoy

iLEAPP and RLEAPP updates and dev thoughts

1 minutes to read

Alex (@kviddy) has been pushing some extremely useful updates to the open-source Android forensic tool - [ALEAPP](https://github.com/abrignoni/ALEAPP]. Speci...

What data can you find in RAM?

1 minutes to read

To determine if you need to collect Random Access Memory on-scene, it is useful to know what kinda of investigation-relevant data is often available in RAM.

Modular artifact scripts coming to iLEAPP

1 minutes to read

kviddy has been pushing some great core updates to ALEAPP. Specifically, artifact scripts are now self-contained. This means that script authors no longer ne...