Maresware Hash software or: a Hash software buffet

ABSTRACT

Often, outside of the usual suite menu of processing forensic evidence you may wish to be able to perform a process that will calculate and record the hash value of a file or an entire tree structure. In addition to calculating and recording the hash values, you may need to reprocess the hash data for additional steps in the forensic analysis process. You may wish to compare your hash data with the NIST NSRL data sets, or use the data to find files that contain duplicate hash values, or in other instances, you may need to find which files show up in forensic SOURCE_A and have not been properly copied to evaluation directory: DESTINATION_B.

In short, the programs described here are specifically designed to work with each other to: 1. Perform hash calculations on files within a directory/tree structure. (md5, sha) 2. Create fixed length records of the hash data that is calculated. (md5, sha) 3. Perform calculation on the data set to see which files are duplicates based on hash value. Maybe the suspect has duplicates of possible evidence. (hashdup) 4. Perform calculation to see which files are contained in SOURCE and not found in DESTINATION. (Your forensic copy didn't quite work. What a surprise!) (hashcmp)

Besides using these programs specifically designed to work with each other on Maresware hash related data, there are many other (non-Maresware) applications available which can reprocess the data for forensic or evidentiary requirements. In addition, other Maresware software such as: diskcat, search, bsearch, compare, and filbreak; which can used to further analyze the data. All the respective help files, and executables ...

Click here for the full article