Tuesday, December 14, 2010

Creating hash sets from gold builds, trusted hosts and other sources

I had a need today to create several different hash sets of different production machines in a corporate environment. Normally, I would load up a base image or gold build into EnCase or other forensic tool and hash the drive. In this case, I didn't have access to the servers yet so I wrote some instructions and a batch file using md5deep to be given to the IT/admin that were building the machines so they could quickly run the utility and generate hash values of all the files without having to have access (physically or virtually). I could then take the resulting text file and import it into EnCase using an EnScript I previous wrote.

Below is a zip file that contains three files. The md5deep executable, a batch file and a PDF explaining how to use it. The PDF and batch file was written for IT/sysadmin types who may not understand how to use the program and likely won't spend the time trying to figure it out. So I wrote a simple tutorial just to help speed up the process.

I am no expert in batch file programming, but it works for me, so please don't get your panties all in a bunch because my batch file is messy or its not the way you would do it. If you have a better way then edit it and post it in the comments for others.

As a general reminder (disclaimer), the above process should only be done on clean, fresh installs that have been isolated or protected from users (yes, users). Ideally, this should be done on clean installs, then again once they are patched so you capture multiple versions (hash vales)  of files that have changed during the patching process. Then once again after all the user applications, business apps, etc are loaded, but before an average user gets his paws on it.

The zip file is password protected because I was sending it to sysadmins via email and it contains a batch file and executable.

Password is: "dizzle" (without quotes)

Download here


Lance Mueller Tuesday, 14 December, 2010  

I forgot to mention that if you send this out for admins to use, you might want to edit the batch file to include the "-z" option to capture the size of each file in addition to the hash value. I generally don't care about the name, but the hash and size are very important.

This can be extremely useful to speed up identification and especially if you are doing stuff over the network (i.e. EnCase Enterprise or F-Response)

Anonymous Tuesday, 14 December, 2010  

Good stuff, thanks for sharing this.

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles