Hash Set

From truxwiki.com
Jump to navigation Jump to search

A hash set in Truxton is a sorted list of MD5 hashes that will be used to eliminate file content during exploitation. The hashes can be in a variety of formats.


By maintaining lists of well-known file hashes, you can increase the speed of exploitation by ignoring file contents that will have no investigative value. For example, on a Windows computer, it will contain a file called kernel32.dll which is an executable file. It comes from Microsoft so we know it's contents won't contain anything of analytic value. If we encounter a file in our exploitation that has the same hash as one that came from Microsoft, we can safely ignore it. Truxton will save the meta data of every file it processes but if the hash matches one from a hash set, the contents will not be stored. The meta data in the data base will tell you if the contents were eliminated.

When using a hash set with Truxton, there is no need to designate a format. It will automatically figure it out.


Truxton supports a variety of formats for a hash set. It will automatically determine the format of the hash set. The minimum length of a hash set is 138 bytes (8 hashes). If you need to use a hash set smaller than 8 hashes, pad your hash set with random values until you reach 8 hashes.


Truxton supports three different textual formats of a hash set. Text hash sets are very easy to produce, any text editor will do.

ASCII No Termination

This consists of 32 character ASCII hashes with nothing separating the entries.



ASCII Single Terminator

This consists of 32 character ASCII hashes with a single byte separating entries. The byte can be of any value such as a carriage return.



ASCII Double Terminator

This consists of 32 character ASCII hashes with two bytes separating entries. These bytes can be of any value such as a carriage return line feed pair.




The binary format produces a hash set that is roughly half the size of the text version.

Big Endian High Low

The 128-bit hash is stored as two 64-bit big endian integers. The most significant integer is written first, followed by the integer containing the least significant 64-bits of the hash.


00 01 02 03 04 05 06 07  08 09 0A 0B 0C 0D 0E 0F
00 11 22 33 44 55 66 77  88 99 AA BB CC DD EE FF

Big Endian Low High

The 128-bit hash is stored as two 64-bit big endian integers. The least significant integer is written first, followed by the integer containing the most significant 64-bits of the hash.


08 09 0A 0B 0C 0D 0E 0F  00 01 02 03 04 05 06 07
88 99 AA BB CC DD EE FF  00 11 22 33 44 55 66 77

Little Endian High Low

The 128-bit hash is stored as two 64-bit little endian (Intel) integers. The most significant integer is written first, followed by the integer containing the least significant 64-bits of the hash.


07 06 05 04 03 02 01 00  0F 0E 0D 0C 0B 0A 09 08
77 66 55 44 33 22 11 00  FF EE DD CC BB AA 99 88

Little Endian Low High

The 128-bit hash is stored as two 64-bit little endian (Intel) integers. The least significant integer is written first, followed by the integer containing the most significant 64-bits of the hash.


0F 0E 0D 0C 0B 0A 09 08  07 06 05 04 03 02 01 00
FF EE DD CC BB AA 99 88  77 66 55 44 33 22 11 00


Truxton also supports other popular hash set formats.


This format uses eighteen bytes per hash instead of sixteen. Otherwise it is identical to the big endian high low binary format.


Autopsy hash set format is ASCII followed by a pipe character followed by more hex digits.


X-Ways format uses 33 bytes per ASCII hash entry. Otherwise, it is identical to the ASCII single terminator format.