Wednesday, July 18, 2007

Adding Hash values to an existing .hash file in EnCase

In my previous post I explained that in the past I have had the need to import hash values from a text file into an EnCase .hash file for use by EnCase and therefore I created an EnScript to import from a text file. In addition, I have also had the need to add hashes to an existing .hash file in EnCase.

You can easily make a hash set in EnCase, but you cannot add to an existing hash set within EnCase. To make matters worse, what if you don't have the files that were used to create a hash set, for example, if the hash set was given to you by another examiner? You would have to create a new hash set with the new files and then also keep the existing one.

Therefore, I wrote an EnScript to hash and then add selected (blue checked) files into an existing EnCase .hash set. The main purpose for writing this was so I could continually add hash values of hacker tools or malware into one hash set, without having to have or maintain the original files to rehash them in order to make a new hash set.

Enjoy.. (tested in v6.5)

Download Here

1 comments:

Mark Thursday, 16 August, 2007  

Just received 20 cd's that I need to hash 10 against the other 10. Using your EnPack allowed much faster response and organization. Thanks.

PS I work for Michael Bean. He says Hi.

Mark Cox, EnCE

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles