Saturday, August 22, 2009

EnCase EnScript to hash selected files and provide SHA1_Base16 & SHA1_Base32 values

A fellow examiner asked for an EnScript that provides the base32 SHA1 hash value for selected files. This EnScript generates the common base16 SHA1 hash value for selected files. In addition, it converts the base16 SHA1 hash value to a base32 SHA1 value for use in limewire investigations.

To use, just select the files you want the SHA1 values for and then run the EnScript. The output is in the console tab.



Download here

4 comments:

Anonymous Wednesday, 09 September, 2009  

Thanks so much for sharing this!

-Ian

Gary Wednesday, 11 November, 2009  

Maybe you can help!! i am working on a case where I have a series of SHA1_Base16 message digests and I need to convert them to SHA1_Base32. I do not have the orignal files only the Base16 (Hex)SHA1's. ANY idea how one converts them, I am not sure if you need orignal file to generate or if they could be made from one to another (I believe they can). Could you point me in the correct direction??? I prefer a pearl or any linux script if possible...Thanks!!

Lance Mueller Wednesday, 11 November, 2009  

I can certainly try and help you. Please contact me via email: lance(at)forensickb.com. Preferably send me a small sampling of the base16 sha hashes that you want to convert to base32, in the format you have them in. Don't paste them in an email, send me the file or a small portion of the file.

Anonymous Wednesday, 14 July, 2010  

Hi Lance!!

Nice little script :-)

Sugestion for improvement:

Add various hashvalues that the script can use - eg sha1_base32, sha1_base64, TTH, MD4, eD2K etc

Make chek boxes to choose what values to calculate, and make the output in tab delimited format - this way it can be used in eg. Access or Excell

Just a thought :-)

Regards

Søren C, Denmark

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles