Announcement

**David (PassMark)** · Jun-21-2011, 06:55 AM

You can look up a file in a hash set from, for example, the "File name search" function. You need to do a search first, but you can search for * for find all files.

Right click on a file, or multiple files, and select lookup in hash set from the right click menu.

For others reading this post, you can set the current hash set from the "Hash sets" window. You can download some example hashsets from this page,
http://www.osforensics.com/download.html

There are some example screen shots.

Right click to check if multiple selected files are in current hash set

Checking files to see if they are in the hash set

Sort search results to group matches

Check single file to see all matches for that file

**chalzirungu** · Sep-06-2011, 12:15 PM

Hashing

I am currently evaluating the Beta version of OSForensic and so far im impressed. I have the following queries:

1. Is there a simpler way to distinguish between the grey and good hashsets results after hashing?

2. The suspect machine i am using for testing has Symatic Endpoint Security Installed, and thus many files in the Quarantine. How comes OSF cannot hash files in the quarantine?

**David (PassMark)** · Sep-06-2011, 08:35 PM

1) The latest beta has actually changed a bit from the screen shots above. There is now an icon that appears if the file is in the hash set. Not sure if this is what you were really asking about however? Can you give an example.

2) Are you doing this on a live machine, or on a disk image. Maybe Symantec is blocking access to the files if this is on a live machine. I am also not sure how files are stored when they are in quarantine. Can you browse them with explorer? Maybe they are renamed, or even encrypted and thus only view-able is Symantec's product?

Announcement

Keylogger Hash use?

Keylogger Hash use?

Comment

Comment

Comment