Hi all
I was wondering if anyone knew of a way to convert a NSRLfile to the HASH file encase uses without doing the import through encase. The import of 7,198,856 MD5 hashs through encases takes a bloody long time.
Thanks
I haven't seen either close up, but it should be pretty trivial to write a script to convert one format to another.
If you could provide the NSRL format, and the format for the EnCase HASH file, I'm sure I could gin something up and post it.
However, keep in mind…any operation that has to be done over 7 million times will take a while.
H. Carvey
"Windows Forensics and Incident Recovery"
Maybe you should have a look at:
Juergen
First off let me say thanks for the quick response…
Second - The script at NSRL web site only converts a NSRLfile.txt to a HashKeeper file ending in the extension .hke and .hsh (you can choose other formats but not the encase format). Encase can read the hashkeeper and NSRLfile but has to convert each hash to its hash format being a .hash file. Therefore the script on the NSRL site is useless in that is saves little or no time in the conversion process.
Thirdly - Trying to write a perl script would be hard…The reading and cross referencing of the NSRL file is eash but the .hash file that encase uses is encoded in some weird way…IF u want an example of the file structure of a .hash file check out
The NSRLfile.txt contains the majority of data in the headings: SHA-1; MD5; Filename; Filesize; ProductCode; OpSystemCode; SpecialCode. NSRLMfg.txt contains the headings: MfgCode; MfgName. NSRLOS.txt containts the headings: OpSystemCode; OpSystemName; OpSystemVersion; MfgCode. NSRLProd.txt contains the headings: ProductCode; ProductName;ProductVersion;OpSystemCode;MfgCode; Language; ApplicationType.
My only conclusion is that encase .hash file is a proprietary format and the only way to discover how the format works would be to reverse engineer encase but at this moment its a last resort and im sure encase would not be thrilled by this… 😀
seelogic
Mr Seelogic
I have done some research and programming to do this. It is not easy because EnCase cannot do it right.
There are 10.5 million individual, unique, md5 hash values in the NSRLFile. EnCase processes this and results in only 6 million.
You need to include the NSRLProd and Mfg files….I import into MySQL then use my C program to generate the .hash files…
But I haven't quite finished this project yet…if you are willing to pay a small sum then I will finish it for you…
UPDATE: I have finished this project! I can now provide .hash files for use in EnCase. This is the only known way to get the NSRL hash values into EnCase…
Dave