Difference between pages "Hashkeeper" and "Live CD"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
m (See Also: there are advantages, disadvantages and issues)
 
Line 1: Line 1:
Run by the National Drug Intelligence Center, part of the U.S. Department of Justice.
+
{{expand}}
  
'''HashKeeper''' is a database application of value primarily to those conducting forensic examinations of computers on a somewhat regular basis.
+
A '''live CD''' is a CD containing a bootable computer [[operating system]]. Live CDs are widely used in [[computer forensics]] and [[Incident Response | incident response]].
  
== Overview ==
+
== Advantages ==
The application uses the [[MD5]] file signature algorithm to establish unique numeric identifiers (hash values) for known files and compares those known hash values against the hash values of Computer file|files on a seized computer system. Where those values match, the examiner can say, with statistical certainty, that the corresponding files on the seized system have been authenticated and therefore do not need to be examined.
+
  
== Origins ==
+
* [[Physical memory]] of a computer can be imaged by performing cold boot attack without running tools on an untrusted [[OS]];
 +
* Acquisition over a network connection without running tools on an untrusted [[OS]];
 +
* No need to reconstruct [[RAID]] arrays;
 +
* etc.
  
Created by the National Drug Intelligence Center (NDIC)—an agency of the United States Department of Justice—in 1996, it was the first source for hash values of "known to be good" files.
+
== Disadvantages ==
  
== Availability ==
+
* Out-of-date software;
HashKeeper is available, free-of-charge, to law enforcement, military and other government agencies throughout the world. It is available to the public by sending a [http://www.usdoj.gov/ndic/foia.htm Freedom of Information Act] request to NDIC.
+
* No simple way to reconfigure Live CD: you cannot easily rebuild ''foo'' to support ''bar'' (e.g. rebuild [[Sleuthkit]] to support [[AFF]]).
  
== Tools ==
+
== See Also ==
* Example script ([[Media:Hashkeeper.txt]]) to produce a pair of '''Hashkeeper''' format files for a given set of target files (can be imported into [[EnCase]]).
+
  
== External Links ==
+
* [[:Category:Live CD|Forensics Live CDs]]
* [http://www.usdoj.gov/ndic/about.htm Official NDIC website]
+
* [[Forensic Live CD issues]]
* [http://tech.groups.yahoo.com/group/hashkeeper/ Hashkeeper mailing list]
+
 
+
[[Category:Hashing]]
+

Latest revision as of 08:17, 23 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

A live CD is a CD containing a bootable computer operating system. Live CDs are widely used in computer forensics and incident response.

Advantages

  • Physical memory of a computer can be imaged by performing cold boot attack without running tools on an untrusted OS;
  • Acquisition over a network connection without running tools on an untrusted OS;
  • No need to reconstruct RAID arrays;
  • etc.

Disadvantages

  • Out-of-date software;
  • No simple way to reconfigure Live CD: you cannot easily rebuild foo to support bar (e.g. rebuild Sleuthkit to support AFF).

See Also