Saturday, February 1, 2014

EnScript to create EnCase v7 hash set from text file


It has been nearly seven years since I posted an EnScript to import hash values from a text file and create a EnCase v6 hash set. That EnScript still remains popular to this day.

The EnScript linked below was written to basically do the same thing for EnCase v7. The hash values in EnCase v7 are stored completely different than in v6 and while I had to create the hash sets in EnCase v6 from scratch, EnCase v7 includes an EnScript API to create the new hash set using the new format.

It still surprises me to this day though that EnCase does not have a feature to import a list of hash values into a hash set from a simple text file. So many examiners and incident responders obtain plain text files that contain hash values from 3rd party tools and commonly don't have the original file, especially with malware databases like Virus Total and Virus Share that provide hash values but you don't necessarily have the file itself to obtain the hash value on your own.

This EnScript was written to read a text file with up to three fields per line:

MD5SHA1logicalsize

The order of the fields are not important, they can be in any order. The delimiter can be a space, tab or comma and there should not be a header row with field labels. The EnScript was designed to read/parse an ANSI text file.

Here is a sample input file from http://virusshare.com/hashes/VirusShare_00001.md5:

 
The lines above with the '#' are automatically ignored.
 

Here is another example file that contains three fields (MD5, SHA1, logical size)  that were extracted from here: http://a4lg.com/downloads/vxshare/ using awk:
 

 
 
The above example is a text file that contains the MD5SHA1 that was extracted using AWK.
 
Once you have a text file with the hash values you want to use (second hash value and logical size are optional), run the EnScript and select the text file:
 

 
Specify a name (it will be the name of the directory created that contains all the hash indexes as well as the name displayed inside the EnCase Hash library Manager), Category and a Hash Set Tag.
 
Once run, a directory containing the EnCase v7 hash set indexes will be created in the default export folder for your case:
 
 
You can now add the hash set using the EnCase Manage Hash Library option:
 
 
 

 
Download EnCase v7 EnScript here
 
 

Posted by Lance Mueller at Saturday, February 01, 2014
ShareThis

0 comments:

Post a Comment

Post a Comment

Subscribe to: Post Comments (Atom)

Computer Forensics, Malware Analysis & Digital Investigations

Loading...

Random Articles