Hash Set

From truxwiki.com
Jump to navigation Jump to search

A hash set in Truxton is a sorted list of MD5 hashes that will be used to eliminate file content during exploitation. The hashes can be in a variety of formats.

Description

By maintaining lists of well-known file hashes, you can increase the speed of exploitation by ignoring file contents that will have no investigative value. For example, on a Windows computer, it will contain a file called kernel32.dll which is an executable file. It comes from Microsoft so we know it's contents won't contain anything of analytic value. If we encounter a file in our exploitation that has the same hash as one that came from Microsoft, we can safely ignore it. Truxton will save the meta data of every file it processes but if the hash matches one from a hash set, the contents will not be stored. The meta data in the data base will tell you if the contents were eliminated.

When using a hash set with Truxton, there is no need to designate a format. It will automatically figure it out.

Format

Truxton supports a variety of formats for a hash set. It will automatically determine the format of the hash set. The minimum length of a hash set is 138 bytes (8 hashes). If you need to use a hash set smaller than 8 hashes, pad your hash set with random values until you reach 8 hashes.

Text

Truxton supports three different textual formats of a hash set. Text hash sets are very easy to produce, any text editor will do.

ASCII No Termination

This consists of 32 character ASCII hashes with nothing separating the entries.

Sample

000102030405060708090A0B0C0D0E0F00112233445566778899AABBCCDDEEFF

ASCII Single Terminator

This consists of 32 character ASCII hashes with a single byte separating entries. The byte can be of any value such as a carriage return.

Sample

000102030405060708090A0B0C0D0E0F<CR>
00112233445566778899AABBCCDDEEFF<CR>

ASCII Double Terminator

This consists of 32 character ASCII hashes with two bytes separating entries. These bytes can be of any value such as a carriage return line feed pair.

Sample

000102030405060708090A0B0C0D0E0F<CR><LF>
00112233445566778899AABBCCDDEEFF<CR><LF>

Binary

The binary format produces a hash set that is roughly half the size of the text version.

Big Endian High Low

The 128-bit hash is stored as two 64-bit big endian integers. The most significant integer is written first, followed by the integer containing the least significant 64-bits of the hash.

Sample

00 01 02 03 04 05 06 07  08 09 0A 0B 0C 0D 0E 0F
00 11 22 33 44 55 66 77  88 99 AA BB CC DD EE FF

Big Endian Low High

The 128-bit hash is stored as two 64-bit big endian integers. The least significant integer is written first, followed by the integer containing the most significant 64-bits of the hash.

Sample

08 09 0A 0B 0C 0D 0E 0F  00 01 02 03 04 05 06 07
88 99 AA BB CC DD EE FF  00 11 22 33 44 55 66 77

Little Endian High Low

The 128-bit hash is stored as two 64-bit little endian (Intel) integers. The most significant integer is written first, followed by the integer containing the least significant 64-bits of the hash.

Sample

07 06 05 04 03 02 01 00  0F 0E 0D 0C 0B 0A 09 08
77 66 55 44 33 22 11 00  FF EE DD CC BB AA 99 88

Little Endian Low High

The 128-bit hash is stored as two 64-bit little endian (Intel) integers. The least significant integer is written first, followed by the integer containing the most significant 64-bits of the hash.

Sample

0F 0E 0D 0C 0B 0A 09 08  07 06 05 04 03 02 01 00
FF EE DD CC BB AA 99 88  77 66 55 44 33 22 11 00

Commercial

Truxton also supports other popular hash set formats.

Encase

This format uses eighteen bytes per hash instead of sixteen. Otherwise it is identical to the big endian high low binary format.

Autopsy

Autopsy hash set format is ASCII followed by a pipe character followed by more hex digits.

X-Ways

X-Ways format uses 33 bytes per ASCII hash entry. Otherwise, it is identical to the ASCII single terminator format.