- HashKeeper
HashKeeper is a
database application of value primarily to those conductingforensic examinations ofcomputer s on a somewhat regular basis.Overview
HashKeeper uses the
MD5 file signaturealgorithm to establish unique numeric identifiers (hash values) for files "known to be good" and "known to be bad."The HashKeeper application was developed to reduce the number of hours required to examine seized hard drives. It allows an examiner to examine a file once, a process that, at best, could take half a minute or more, and never repeat that effort throughout a career of examining hard drives.
HashKeeper compares hash values of "known to be good" files against the hash values of files on a seized computer system. Where those values match "known to be good" files, the examiner can say, with
statistical certainty, that the corresponding files on the seized system have been previously examined and found to be "good" and therefore do not need to be re-examined thereby saving 30 seconds of effort. [While the savings of a minute on the examination of a hard drive is insignificant, consider instead the savings of half a minute on 50% of the files on a system that holds 150,000 files.]Where those values match "known to be bad" files, the examiner can say, again with
statistical certainty, that the corresponsing files on the seized system are bad and therefore require scrutiny. More importantly, however, the examiner knows that at least one other law enforcement agency in the world has encountered the same files. This may indicate the presence of a network of people sharing these "known to be bad" files, where at least two of the nodes are readily identifiable.History
Created by the
National Drug Intelligence Center (NDIC)—a component of theUnited States Department of Justice —in1996 , it was the first large scale source for hash values of "known to be good" and "known to be bad" files. HashKeeper was, and still is, the only community effort based upon the belief that members of state, national, and international law enforcement agencies can be trusted to submit properly categorized hash values. One of the first contributors of "known to be good" hash values was Dan Mares while he still worked for the [http://www.irs.gov Internal Revenue Service] and afterwards when he was in private practice (www.maresware.com). The first contributor of "known to be bad" hash values was theLuxembourg Police who contributed hash values of recognized child pornography.Availability
HashKeeper is available, free-of-charge, to law enforcement,
military and othergovernment agencies throughout the world. It is available to the public by sending aFreedom of Information Act request to NDIC.Source
"HashKeeper Overview",
National Drug Intelligence Center .References
Wikimedia Foundation. 2010.
