Using Maresware to Validate Forensic File Hashes
top of page
Search

Using Maresware to Validate Forensic File Hashes

ABSTRACT

I decided to put this document together because a few days ago, a very intelligent forensic investigator said his co-workers asked how to easily use hashing software to compare hash values from pointA to pointB. His exact quote is/was "A colleague did ask if we can get the tool just to hash source and hash destination, comparing differences without any copying".


So I got to thinking. I know, its bad for the health. But I was thinking about how many others might at some point wished they had a simple program or process to do just that. I realize that the large suites can compare hashes, but that involves creating a case, loading the data, etc. etc. etc.; and other hashing software can compare the source and destination, but usually that usually occurs during the actual copy process, and/or installation of the software (remember to read my hash test article). So what about a simple, process or batch file (thats a script for you millenials) that could match hashes from pointA to pointB any time you wish, without creating a case, and without going thru a copy process, because you already have the two directories populated. Lets design a simple process that could be performed routinely.




I discuss three processes on how to validate and/or compare hash values using a number of different Maresware programs. Don't be overwhelmed at the descriptions or processes.

Because they are generic, they can be re-used and modified easily. Know full well that in my previous life, I actually taught internal auditors how to use the software efficiently. So you should have no trouble learning its process.


Also, I remind the reader that the operation of the software used in these descriptions: (hash, hashcmp, disksort, total, compare) is extremely generic and can (and has been) be used to process other types of data which an analyst, or investigator might generate in day to day operations. So when reading the capabilities of the software, don't restrict your thoughts to merely matching hash values.


One other thing discussed at the end of this article is an alternative to hash matching. It is a program that will take a hash data file and tell you which hash values have duplicates. hash_dup Help file, and hash_dup.exe download.



117 views

Recent Posts

See All
bottom of page