|
|
(3 intermediate revisions by 2 users not shown) |
Line 1: |
Line 1: |
− | Version 2.09 Man Page
| + | Back to [[Help Documents]] |
| | | |
− | NAME
| |
− | hfind - Lookup a hash value in a hash database
| |
| | | |
− | SYNOPSIS
| + | hfind looks up hash values in a database using a binary search algorithm. This allows one to easily create a hash database and identify if a file is known or not. It works with the NIST National Software Reference Library (NSRL) and the output of ’md5sum’. |
− | hfind [-i db_type ] [-f lookup_file ] [-eq] db_file [hashes]
| + | <br /> |
− | | + | * [http://www.sleuthkit.org/informer/sleuthkit-informer-6.html#hashes Sleuth Kit Informer #6] |
− | DESCRIPTION
| + | * [http://www.sleuthkit.org/sleuthkit/man/hfind.html Automatically Updated man Page] |
− | hfind looks up hash values in a database using a binary search algo-
| + | * Version 4.2 of The Sleuth Kit adds a SQLite database. See documentation for the [[HashDB Schema]] |
− | rithm. This allows one to easily create a hash database and identify
| + | |
− | if a file is known or not. It works with the NIST National Software
| + | |
− | Reference Library (NSRL) and the output of ’md5sum’.
| + | |
− | | + | |
− | Before the database can be used by ’hfind’, an index file must be cre-
| + | |
− | ated with the ’-i’ option.
| + | |
− | | + | |
− | This tool is needed for efficiency. Most text-based databases do not
| + | |
− | have fixed length entries and are sometimes not sorted. The hfind tool
| + | |
− | will create an index file that is sorted and has fixed-length entries.
| + | |
− | This allows for fast lookups using a binary search algorithm instead of
| + | |
− | a linear search such as ’grep’.
| + | |
− | | + | |
− | The options are as follows:
| + | |
− | | + | |
− | -i db_type
| + | |
− | Create an index file for the database. This step must be done
| + | |
− | before a lookup can be performed. The ’db_type’ argument speci-
| + | |
− | fies the database type (i.e. nsrl-md5 or md5sum). See section
| + | |
− | below.
| + | |
− | | + | |
− | -f lookup_file
| + | |
− | Specify the location of a file that contains one hash value per
| + | |
− | line. These hashes will be looked up in the database.
| + | |
− | | + | |
− | -e Extended mode. Additional information besides just the name is
| + | |
− | printed. (Does not apply for all hash database types).
| + | |
− | | + | |
− | -q Quick mode. Instead of displaying the corresponding information
| + | |
− | with the hash, just display 0 if the hash was not found and 1 if
| + | |
− | it was. If this flag is used, then only one hash can be given
| + | |
− | at a time.
| + | |
− | | + | |
− | -V Display version
| + | |
− | | + | |
− | db_file
| + | |
− | The location of the hash database file.
| + | |
− | | + | |
− | [hashes]
| + | |
− | The hashes to lookup. If they are not supplied on the command
| + | |
− | line, STDIN is used. If index files exist for both SHA-1 and
| + | |
− | MD5 hashes, then both types of hashes can be given at runtime.
| + | |
− | | + | |
− | INDEX FILE
| + | |
− | hfind uses an index file to perform a binary search for a hash value.
| + | |
− | This is much faster than using ’grep’, which will do a linear search.
| + | |
− | Before a hash database is used, a corresponding index file must be cre-
| + | |
− | ated. This is done with the ’-i’ option to hfind.
| + | |
− | | + | |
− | The resulting index file will be named based on the database file name.
| + | |
− | The name will have the original name following by the hash type (sha1
| + | |
− | or md5) followed by ’.idx’. For example, creating an MD5 hash index of
| + | |
− | the NIST NSRL results in ’NSRLFile.txt-md5.idx’ and the SHA-1 index
| + | |
− | results in ’NSRLFile.txt-sha1.idx’.
| + | |
− | | + | |
− | The file has two columns. Each entry is sorted by the first column,
| + | |
− | which is the hash value. The second column has the byte offset of the
| + | |
− | corresponding entry in the original file. So, when a hash is found in
| + | |
− | the index, the offset is recorded and then ’hfind’ seeks to the entry
| + | |
− | in the original database.
| + | |
− | | + | |
− | The following input types are valid. For NSRL, ’nsrl-md5’ and ´nsrl-
| + | |
− | sha1’ can be used. The difference is which hash value the index is
| + | |
− | sorted by. The ’md5sum’ value can also be used to sort and index "home
| + | |
− | made" databases. ’hfind’ can take data in both common formats:
| + | |
− | | + | |
− | MD5 (test.txt) = 76b1f4de1522c20b67acc132937cf82e
| + | |
− | | + | |
− | and
| + | |
− | | + | |
− | 76b1f4de1522c20b67acc132937cf82e test.txt
| + | |
− | | + | |
− | EXAMPLES
| + | |
− | To create an MD5 index file for NIST NSRL:
| + | |
− | | + | |
− | # hfind -i nsrl-md5 /usr/local/hash/nsrl/NSRLFile.txt
| + | |
− | | + | |
− | To lookup a value in the NSRL:
| + | |
− | | + | |
− | # hfind /usr/local/hash/nsrl/NSRLFile.txt
| + | |
− | 76b1f4de1522c20b67acc132937cf82e
| + | |
− | | + | |
− | 76b1f4de1522c20b67acc132937cf82e Hash Not Found
| + | |
− | | + | |
− | You can even do both SHA-1 and MD5 if you want:
| + | |
− | | + | |
− | # hfind -i nsrl-sha1 /usr/local/hash/nsrl/NSRLFile.txt
| + | |
− | | + | |
− | # hfind /usr/local/hash/nsrl/NSRLFile.txt
| + | |
− | 76b1f4de1522c20b67acc132937cf82e
| + | |
− | 80001A80B3F1B80076B297CEE8805AAA04E1B5BA
| + | |
− | | + | |
− | 76b1f4de1522c20b67acc132937cf82e Hash Not Found
| + | |
− | | + | |
− | 80001A80B3F1B80076B297CEE8805AAA04E1B5BA thrdcore.cpp
| + | |
− | | + | |
− | To make a database of critical binaries of a trusted system, use
| + | |
− | ’md5sum’:
| + | |
− | | + | |
− | # md5sum /bin/* /sbin/* /usr/bin/* /usr/bin/* /usr/local/bin/*
| + | |
− | /usr/local/sbin/* > system.md5
| + | |
− | | + | |
− | # hfind -i md5sum system.md5
| + | |
− | | + | |
− | To look entries up, the following will work:
| + | |
− | | + | |
− | # hfind system.md5 76b1f4de1522c20b67acc132937cf82e
| + | |
− | | + | |
− | 76b1f4de1522c20b67acc132937cf82e Hash Not Found
| + | |
− | | + | |
− | or
| + | |
− | | + | |
− | # md5sum -q /bin/* | hfind system.md5
| + | |
− | | + | |
− | 928682269cd3edb1acdf9a7f7e606ff2 /bin/bash
| + | |
− | | + | |
− | <...>
| + | |
− | | + | |
− | or
| + | |
− | | + | |
− | # md5sum -q /bin/* > bin.md5
| + | |
− | | + | |
− | # hfind -f bin.md5 system.md5
| + | |
− | | + | |
− | 928682269cd3edb1acdf9a7f7e606ff2 /bin/bash
| + | |
− | | + | |
− | <...>
| + | |
− | | + | |
− | REQUIREMENTS
| + | |
− | hfind needs the UNIX sorter program located in /usr/bin/. The NIST
| + | |
− | National Software Reference Library (NSRL) can be found at
| + | |
− | www.nsrl.nist.gov.
| + | |
− | | + | |
− | LICENSE
| + | |
− | Distributed under the Common Public License, found in the cpl1.0.txt
| + | |
− | file in the The Sleuth Kit licenses directory.
| + | |
− | | + | |
− | HISTORY
| + | |
− | hfind first appeared in TASK v1.60.
| + | |
− | | + | |
− | AUTHOR
| + | |
− | Brian Carrier <carrier@sleuthkit.org>
| + | |