Import a text file of Hash values into a EnCase hash set.
In July, I posted an EnScript that I wrote to import a text file containing the name, size and hash value of file(s) into a EnCase hash set (You can read it here).
I have modified the EnScript to import a simple text file containing just hash values. This was based on a request by a reader and it was a simple chage to make. This new version now imports a simple ASCII text file containing one hash value per line:
937D87886E076C3A9DFC41AF47430E40
AB9A6395505AB2912FA4C6D7927CF359
8D7CDC05145498CC65585171C0084378
F248F38E1A22C94D52E8277AFC89FD90
AF64E5AE9080B01B61344B7C7AF9C972
633395C2507E03AFB2F7DCF34B2B8831
D41D8CD98F00B204E9800998ECF8427E
AB9A6395505AB2912FA4C6D7927CF359
254D506F104A52486B005F9B2C2D3C37
7D1844587162237957143B353679EFF6
The EnScript will create a .hash file in your default export folder that can then be copied into your EnCase\Hash Sets\ folder and used inside EnCase.
Download Here (v5 & v6)
ShareThis
Posts
14 comments:
Lance,
Thanks! This is awesome.
-John
Lance, I just want to say thanks for making this available. I've been slogging my way through manual creation of Hashkeeper sets for years as a way to get external hashes into EnCase, and that approach is an exercise in tedium.
Your EnScript is EXACTLY what I've needed on many occasions, when clients have provided me with lists of filenames and hashes, without providing the actual files.
Thanks!
Jerry Hatchett
Evidence Technology
Houston, TX
I keep getting this error, any thoughts?
Error: Reference to null CaseClass object in function call: ExportFolder, Forensic\Import Hashes from Text File - One hash per line(58,8)
Name: Import Hashes from Text File - One hash per line
Status: Error
Start: 02/20/10 08:04:59AM
Stop: 02/20/10 08:05:13AM
Time: 0:00:14
What is your Export folder set to in the case options?
I get the same eror Lance..
I think it has to do with the txt file.
Some txt files have characters after the hashset.
You cannot see those in the textfiles. I think it are some kind of Carriage Returns.
If you delete those under linux it works.
My only problem is that after a Sort and Uniq under Linux, give 146 unique hashes....After importing Encase says there are only 88 hashvalues under the hashtab. (So I didnt start looking for the files, it is in the hash-tab)
Peter
Peter,
Can you send me the text file? lance(@)forensickb.com
I had the same error until I created a new case.
Thanks very helpful.
As Lance emailed me there is a little problem when you sort and uniq under linux.
Just import the textfile under Windows into the enscript and it should work.
the import doesnt work under version 6.18. i get the message
Error: Reference to null CaseClass object in function call: ExportFolder, Forensic\Import Hashes from Text File - One hash per line(58,8)
Name: Import Hashes from Text File - One hash per line
Status: Error
if i use 6.15, it works fine. how can i bypass this version bug?
Be sure and create a case before running this EnScript.
Just a heads up and a Thanks...Script is still running strong in EnCase 6.18.. Great stuff and saved me a bunch of time going back and forth between a spreadsheet and EnCase.. Great work!!
I have hashed about 800 files in encase and I would like to export those into a txt file with the three fields you have described. I would export name, logical size, and hash value. Then I would like to be able to run that through your script. I was able to get all the way to importing the txt file and naming the .hash file, but it seemed to not run, as I was unable to find the ultimate .hash file. I looked in the default export folder. Any suggestions?
@braves - This script was written for v6 only, which does not use the size and name, only the hash value.
@braves - Not sure why you would want to export hash values out of EnCase into a text file and then re-import them, since you can make a hash set natively inside EnCase, but if you are doing it for testing purposes, EnCase exports data in Unicode. Therefore, make sure the data you want to import via the EnScript is in ANSI.
Post a Comment