No announcement yet.

Importing .HASH

  • Filter
  • Time
  • Show
Clear All
new posts

  • Importing .HASH

    I have several hash sets in the .hash format that I need to use with OSForensics. Is it possible to import these sets? They were originally made for EnCase.

    If not, do you know of a converter?


  • #2
    3 formats are supported.

    1) OSF's internal format (which is actually a database file in the open source Firebird format)
    2) NSRL text format for importing.
    3) CSV format for importing for importing. See the help file for details of the CSV fields that are expected.

    I think the EnCase .HASH files are a proprietary file format, with several sub-variants depending on the EnCase version. They also contain a lot less information that what OSF stores. For example I don't think they store the file name of the file.

    According to this post,
    converters have been written to get .HASH files into CSV, but I don't know of any public script.


    • #3
      Thank you for the response.

      I've seen that ForensicFocus thread, but have not yet been able to locate that converter anywhere.


      • #4
        Even if it was possible to get the .HASH file into CSV then I think there would be so much information missing that I am not sure if it would be of much use.

        For example on import we are expecting, among others, these fields,

        Filename The name of the file this hash was taken from.
        MD5 The MD5 hash for this file.
        SHA1 The SHA1 hash for this file.
        SHA256 The SHA256 hash for this file.
        LastUpdate When this hash was last updated
        Size The size of the file that was hashed.
        From what I have read, only MD5 values are in the .HASH files.

        Can you re-make the hash file using OSF?

        Update: OSF version 1.1.1003 and later is happy to import just a list of MD5 values with the other fields left blank. Details are in the OSF help file.


        • #5
          I want to convert several illicit image .HASH files that I did not create myself. For me, the only information of interest is the hash (MD5 or SHA1).


          • #6
            The file format looks pretty simple.
            If you want to send us your hash file, we'll send you back a list of hashes in CSV.