Join Us!

Converting NSRLfile...
 
Notifications
Clear all

Converting NSRLfiles to HASH files  

  RSS
Edge
 Edge
(@edge)
New Member

Hi all

I was wondering if anyone knew of a way to convert a NSRLfile to the HASH file encase uses without doing the import through encase. The import of 7,198,856 MD5 hashs through encases takes a bloody long time.

Thanks

Quote
Posted : 01/03/2005 2:19 am
keydet89
(@keydet89)
Community Legend

I haven't seen either close up, but it should be pretty trivial to write a script to convert one format to another.

If you could provide the NSRL format, and the format for the EnCase HASH file, I'm sure I could gin something up and post it.

However, keep in mind…any operation that has to be done over 7 million times will take a while.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

ReplyQuote
Posted : 01/03/2005 12:05 pm
juergen
(@juergen)
New Member

Maybe you should have a look at:

http://www.nsrl.nist.gov/Downloads.htm#converter

Juergen

ReplyQuote
Posted : 01/03/2005 5:37 pm
Edge
 Edge
(@edge)
New Member

First off let me say thanks for the quick response…

Second - The script at NSRL web site only converts a NSRLfile.txt to a HashKeeper file ending in the extension .hke and .hsh (you can choose other formats but not the encase format). Encase can read the hashkeeper and NSRLfile but has to convert each hash to its hash format being a .hash file. Therefore the script on the NSRL site is useless in that is saves little or no time in the conversion process.

Thirdly - Trying to write a perl script would be hard…The reading and cross referencing of the NSRL file is eash but the .hash file that encase uses is encoded in some weird way…IF u want an example of the file structure of a .hash file check out http://www.guidancesoftware.com/support/downloads/hashsets/hacker_tools.zip . The structure for a NSRL file is a cross reference text file eg a database.

The NSRLfile.txt contains the majority of data in the headings: SHA-1; MD5; Filename; Filesize; ProductCode; OpSystemCode; SpecialCode. NSRLMfg.txt contains the headings: MfgCode; MfgName. NSRLOS.txt containts the headings: OpSystemCode; OpSystemName; OpSystemVersion; MfgCode. NSRLProd.txt contains the headings: ProductCode; ProductName;ProductVersion;OpSystemCode;MfgCode; Language; ApplicationType.

My only conclusion is that encase .hash file is a proprietary format and the only way to discover how the format works would be to reverse engineer encase but at this moment its a last resort and im sure encase would not be thrilled by this… 😀

seelogic

ReplyQuote
Posted : 02/03/2005 12:05 am
daveg
(@daveg)
New Member

Mr Seelogic

I have done some research and programming to do this. It is not easy because EnCase cannot do it right.

There are 10.5 million individual, unique, md5 hash values in the NSRLFile. EnCase processes this and results in only 6 million.

You need to include the NSRLProd and Mfg files….I import into MySQL then use my C program to generate the .hash files…

But I haven't quite finished this project yet…if you are willing to pay a small sum then I will finish it for you…

UPDATE: I have finished this project! I can now provide .hash files for use in EnCase. This is the only known way to get the NSRL hash values into EnCase…

Dave

ReplyQuote
Posted : 29/03/2005 3:57 pm
Share: