Tuesday, September 24, 2013

EnCase EnScript to generate eDonkey ED2K hash values

I recently had a request for an EnScript to help generate some ED2K hash values for the purpose of comparing them to some known bad files based on those ED2K hash values.

ED2K (eDonkey 2000) hash values are documented here and are essentially MD4 hash values. If the file is larger than 9,728,000 bytes, then it is a MD4 of a hash list, with each chunk being hashed with MD4, then all the hash values of all the chunks are concatenated and then a hash is generated from that concatenated string.

This EnScript will generate the ED2K hash values for all files that are tagged with the "ED2K" label OR if no files are tagged with that label, the EnScript will hash all the file, excluding unallocated clusters and any internal file system files ($MFT, $Logfile, etc).

When run, then EnScript will display a brief information page explaining the two options (tagging or all files). This EnScript also has an auto update check function that check this blog for the latest version and it will notify you if there is a new release. If you do not have an Internet connection, the auto-check will timeout and the EnScript will function normally.

All the ED2K hash values are written to the console with two fields; ED2k hash value [tab] Full Path. You can then copy this data into whatever format you wish (Excel).

Since EnCase does not expose an MD4 hashing method to EnScript, this EnScript replies upon a DLL that I wrote that contains the ED2K hashing routine/logic (included in the zip). Simply unzip the archive file and place the EnScript (EnPack) and the DLL in the EnScript folder and then you can run from within EnCase:

 
 
Results are in the Console Tab:

 

Download here (EnCase v7)

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles