±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35657
New Yesterday: 3 Visitors: 226

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Converting NSRLfiles to HASH files

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Edge
Member
 

Converting NSRLfiles to HASH files

Post Posted: Mar 01, 05 03:19

Hi all

I was wondering if anyone knew of a way to convert a NSRLfile to the HASH file encase uses without doing the import through encase. The import of 7,198,856 MD5 hashs through encases takes a bloody long time.


Thanks  
 
  

keydet89
Senior Member
 

Re: Converting NSRLfiles to HASH files

Post Posted: Mar 01, 05 13:05

I haven't seen either close up, but it should be pretty trivial to write a script to convert one format to another.

If you could provide the NSRL format, and the format for the EnCase HASH file, I'm sure I could gin something up and post it.

However, keep in mind...any operation that has to be done over 7 million times will take a while.

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com  
 
  

juergen
Newbie
 

Re: Converting NSRLfiles to HASH files

Post Posted: Mar 01, 05 18:37

Maybe you should have a look at:

www.nsrl.nist.gov/Down...#converter

Juergen  
 
  

Edge
Member
 

Re: Converting NSRLfiles to HASH files

Post Posted: Mar 02, 05 01:05

First off let me say thanks for the quick response...

Second - The script at NSRL web site only converts a NSRLfile.txt to a HashKeeper file ending in the extension .hke and .hsh (you can choose other formats but not the encase format). Encase can read the hashkeeper and NSRLfile but has to convert each hash to its hash format being a .hash file. Therefore the script on the NSRL site is useless in that is saves little or no time in the conversion process.

Thirdly - Trying to write a perl script would be hard...The reading and cross referencing of the NSRL file is eash but the .hash file that encase uses is encoded in some weird way...IF u want an example of the file structure of a .hash file check out www.guidancesoftware.c..._tools.zip. The structure for a NSRL file is a cross reference text file eg a database.

The NSRLfile.txt contains the majority of data in the headings: SHA-1; MD5; Filename; Filesize; ProductCode; OpSystemCode; SpecialCode. NSRLMfg.txt contains the headings: MfgCode; MfgName. NSRLOS.txt containts the headings: OpSystemCode; OpSystemName; OpSystemVersion; MfgCode. NSRLProd.txt contains the headings: ProductCode; ProductName;ProductVersion;OpSystemCode;MfgCode; Language; ApplicationType.

My only conclusion is that encase .hash file is a proprietary format and the only way to discover how the format works would be to reverse engineer encase but at this moment its a last resort and im sure encase would not be thrilled by this... Very Happy


seelogic  
 
  

daveg
Newbie
 

Re: Converting NSRLfiles to HASH files

Post Posted: Mar 29, 05 14:57

Mr Seelogic

I have done some research and programming to do this. It is not easy because EnCase cannot do it right.

There are 10.5 million individual, unique, md5 hash values in the NSRLFile. EnCase processes this and results in only 6 million.

You need to include the NSRLProd and Mfg files....I import into MySQL then use my C program to generate the .hash files...

But I haven't quite finished this project yet...if you are willing to pay a small sum then I will finish it for you...

UPDATE: I have finished this project! I can now provide .hash files for use in EnCase. This is the only known way to get the NSRL hash values into EnCase...

Dave
_________________
If at first you don't succeed, try a bigger hammer 
 

Page 1 of 1