Difference between revisions of "Hashkeeper"

From ForensicsWiki
Jump to: navigation, search
m
m
 
(No difference)

Latest revision as of 10:16, 6 February 2011

Run by the National Drug Intelligence Center, part of the U.S. Department of Justice.

HashKeeper is a database application of value primarily to those conducting forensic examinations of computers on a somewhat regular basis.

Overview

The application uses the MD5 file signature algorithm to establish unique numeric identifiers (hash values) for known files and compares those known hash values against the hash values of Computer file|files on a seized computer system. Where those values match, the examiner can say, with statistical certainty, that the corresponding files on the seized system have been authenticated and therefore do not need to be examined.

Origins

Created by the National Drug Intelligence Center (NDIC)—an agency of the United States Department of Justice—in 1996, it was the first source for hash values of "known to be good" files.

Availability

HashKeeper is available, free-of-charge, to law enforcement, military and other government agencies throughout the world. It is available to the public by sending a Freedom of Information Act request to NDIC.

Tools

  • Example script (Media:Hashkeeper.txt) to produce a pair of Hashkeeper format files for a given set of target files (can be imported into EnCase).

External Links