HashKeeper

From Wikipedia, the free encyclopedia

HashKeeper is a database application of value primarily to those conducting forensic examinations of computers on a somewhat regular basis.

Contents 1 Overview 2 History 3 Availability 4 Source 5 References

[edit] Overview

HashKeeper uses the MD5 file signature algorithm to establish unique numeric identifiers (hash values) for files "known to be good" and "known to be bad."

The HashKeeper application was developed to reduce the number of hours required to examine seized hard drives. It allows an examiner to examine a file once, a process that, at best, could take half a minute or more, and never repeat that effort throughout a career of examining hard drives.

HashKeeper compares hash values of "known to be good" files against the hash values of files on a seized computer system. Where those values match "known to be good" files, the examiner can say, with statistical certainty, that the corresponding files on the seized system have been previously examined and found to be "good" and therefore do not need to be re-examined thereby saving 30 seconds of effort.^[1]

Where those values match "known to be bad" files, the examiner can say, again with statistical certainty, that the corresponsing files on the seized system are bad and therefore require scrutiny. More importantly, however, the examiner knows that at least one other law enforcement agency in the world has encountered the same files. This may indicate the presence of a network of people sharing these "known to be bad" files, where at least two of the nodes are readily identifiable.

[edit] History

Created by the National Drug Intelligence Center (NDIC)—a component of the United States Department of Justice—in 1996, it was the first large scale source for hash values of "known to be good" and "known to be bad" files. HashKeeper was, and still is, the only community effort based upon the belief that members of state, national, and international law enforcement agencies can be trusted to submit properly categorized hash values. One of the first contributors of "known to be good" hash values was Dan Mares while he still worked for the Internal Revenue Service and afterwards when he was in private practice (www.maresware.com). The first contributor of "known to be bad" hash values was the Luxembourg Police who contributed hash values of recognized child pornography.

[edit] Availability

HashKeeper is available, free-of-charge, to law enforcement, military and other government agencies throughout the world. It is available to the public by sending a Freedom of Information Act request to NDIC.

[edit] Source

HashKeeper Overview, National Drug Intelligence Center.

[edit] References

1. ^ While the savings of a minute on the examination of a hard drive is insignificant, consider instead the savings of half a minute on 50% of the files on a system that holds 150,000 files.