.hash files not rec...
 
Notifications
Clear all

.hash files not recognized by FTK or IEF

4 Posts
3 Users
0 Likes
478 Views
(@cottondale)
Posts: 17
Active Member
Topic starter
 

We have just installed FTK 5.1. I am trying to use my library of hash values to help in my cases. These are all hash sets of notable images from various LE agencies and are all in the .hash format. The book says FTK can accept .hash files, but when I called tech support, I was informed they do not support this in v5. From my understanding, previous versions of FTK would allow imports of .hash files, but that has gone away with v5. I have scoured message boards and cannot find a conversion program to turn my .hash files into a .csv, or any other format FTK recognizes. We have another box here with FTK v1 installed. I can import these .hash files to that program easily (it's amazing, they have a button just for .hash files). I have heard there is an export function on previous versions of FTK, but am unable to find it on this version (the menu are radically different from v5. We also use IEF, which can now hash, but they only accept csv format as well. I was informed simply changing the extension of the hash file will have no effect. How can I use my hash sets with FTK? I do have access to EnCasev7 as well, I hear there is an export function on there, but have not been able to simply click an export and shoot them to a csv.

Thank you

 
Posted : 11/03/2014 6:52 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

http//www.forensicfocus.com/Forums/viewtopic/t=2781/

You may wish to PM jcas1411 from that thread as a few years ago he apparently wrote a script for converting .hash to .csv and vice versa )

Also 😉

https://www.google.com.au/search?q=how+to+convert+.hash+to+.csv&ie=utf-8&oe=utf-8&aq=t&rls=org.mozillaen-USofficial&client=firefox-a&channel=sb&gfe_rd=cr&ei=ObwfU6D-JsnC8geYloDgBQ

 
Posted : 12/03/2014 5:47 am
(@mcman)
Posts: 189
Estimable Member
 

.hash files are EnCase specific but they're pretty easy to convert if you have access to EnCase v6

For v6, simply click view, then hash sets and your hash set should be listed in there as long as it's placed in the proper folder, then select "Hash Items" which will give you a listing of the all the hashes in that list. Finally, right click the hashes and select Export. From this screen you can select the output format (CSV if you wish, IEF accepts the line separated Text format) and the fields you want to export (I would suggest only including the "Hash" field to ensure your new hash set is compatible with as many other tools as possible). Select Finish and you should be good to go.

For v7, Guidance really changed everything around. The .hash files are no longer supported (only as "legacy" sets) and they now use .bin files to store everything. I still haven't found a way to export to CSV or txt so if anyone else has please let the group know.

Jesse Kornblum wrote a script here (http//jessekornblum.livejournal.com/285173.html?nojs=1) to convert the hashes to txt though I haven't tested it, others have told me it works well. IEF will take the txt format, not sure of all the formats FTK supports.

Thanks,
Jamie

 
Posted : 12/03/2014 5:28 pm
(@cottondale)
Posts: 17
Active Member
Topic starter
 

Thank you. Luckily I have access to a machine with EnCase v6. I was able to export them and their sitting in IEF now. FTK seems a little slower than it should on the import, but hopefully they will be in there by morning.

 
Posted : 12/03/2014 11:26 pm
Share: