Hash Set
A hash set in Truxton is a sorted list of MD5 hashes that will be used to eliminate file content during exploitation. The hashes can be in a variety of formats.
Description
By maintaining lists of well-known file hashes, you can increase the speed of exploitation by ignoring file contents that will have no investigative value.
For example, on a Windows computer, it will contain a file called kernel32.dll
which is an executable file.
It comes from Microsoft so we know it's contents won't contain anything of analytic value.
If we encounter a file in our exploitation that has the same hash as one that came from Microsoft, we can safely ignore it.
Truxton will save the meta data of every file it processes but if the hash matches one from a hash set, the contents will not be stored.
The meta data in the data base will tell you if the contents were eliminated.
When using a hash set with Truxton, there is no need to designate a format. It will automatically figure it out.
Format
Truxton supports a variety of formats for a hash set. It will automatically determine the format of the hash set. The minimum length of a hash set is 138 bytes (8 hashes). If you need to use a hash set smaller than 8 hashes, pad your hash set with random values until you reach 8 hashes.
Text
Truxton supports three different textual formats of a hash set. Text hash sets are very easy to produce, any text editor will do.
ASCII No Termination
This consists of 32 character ASCII hashes with nothing separating the entries.
Sample
000102030405060708090A0B0C0D0E0F00112233445566778899AABBCCDDEEFF
ASCII Single Terminator
This consists of 32 character ASCII hashes with a single byte separating entries. The byte can be of any value such as a carriage return.
Sample
000102030405060708090A0B0C0D0E0F<CR>
00112233445566778899AABBCCDDEEFF<CR>
ASCII Double Terminator
This consists of 32 character ASCII hashes with two bytes separating entries. These bytes can be of any value such as a carriage return line feed pair.
Sample
000102030405060708090A0B0C0D0E0F<CR><LF>
00112233445566778899AABBCCDDEEFF<CR><LF>
Binary
The binary format produces a hash set that is roughly half the size of the text version.
Big Endian High Low
The 128-bit hash is stored as two 64-bit big endian integers. The most significant integer is written first, followed by the integer containing the least significant 64-bits of the hash.
Sample
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF
Big Endian Low High
The 128-bit hash is stored as two 64-bit big endian integers. The least significant integer is written first, followed by the integer containing the most significant 64-bits of the hash.
Sample
08 09 0A 0B 0C 0D 0E 0F 00 01 02 03 04 05 06 07
88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77
Little Endian High Low
The 128-bit hash is stored as two 64-bit little endian (Intel) integers. The most significant integer is written first, followed by the integer containing the least significant 64-bits of the hash.
Sample
07 06 05 04 03 02 01 00 0F 0E 0D 0C 0B 0A 09 08
77 66 55 44 33 22 11 00 FF EE DD CC BB AA 99 88
Little Endian Low High
The 128-bit hash is stored as two 64-bit little endian (Intel) integers. The least significant integer is written first, followed by the integer containing the most significant 64-bits of the hash.
Sample
0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00
FF EE DD CC BB AA 99 88 77 66 55 44 33 22 11 00
Commercial
Truxton also supports other popular hash set formats.
Encase
This format uses eighteen bytes per hash instead of sixteen. Otherwise it is identical to the big endian high low binary format.
Autopsy
Autopsy hash set format is ASCII followed by a pipe character followed by more hex digits.
X-Ways
X-Ways format uses 33 bytes per ASCII hash entry. Otherwise, it is identical to the ASCII single terminator format.