HashR, a tool to create your own hash

The HashR team has announced its first public release. They retrieve files from a source and upload hashes, metadata, and the files’ actual content to a specified data sink. This enables us to construct our own hash sets, which we can subsequently employ during Blue Team activities by extracting and hashing the actual files from complex data sources such as physical or cloud disc images. There are numerous hash set providers (for example, NSRL), but shared hash sets have some drawbacks.

They differ in format, contain various metadata, and employ different hashing techniques, making them difficult to use consistently. They are updated infrequently, for example, every few months. They, by definition, do not give the file’s real content, hindering further inquiry if a matching hash is found.

HashR takes a unique approach to hash sets by allowing you to construct your own hash sets from complex data sources and maintain them up to date automatically. It alleviates the effort of dealing with several data types (for example, disc images) and maintaining private hash sets. Aside from that, it has the following advantages:

  • It allows us to create private hash sets from internal data without revealing any of the information to the public.
  • Because it is open source, we can see how files are extracted and hashes and information are calculated; it is not a black box solution.
  • We can keep our hash sets up to date within the ad because it has lower latency than public hash sets.
  • It can be performed on a schedule to import unprocessed data and upload it to the data sink.

HashR’s modular design allows for the installation of new importers and exporters without affecting core functionality. It currently has importers for the following:

  • Images of GCE Cloud discs
  • ISO images of Windows OS installations
  • Windows operating system update files
  • Archive files ending in.tar.gz

Although this tool was created primarily to assist digital forensic analysts during incident response, it can also assist with the following use cases:

  • This data can be used by digital forensics teams to filter and limit the number of files and events that must be examined during a forensic investigation. It can assist you in displaying all binaries and files that are not included in the base OS image or known updates.
  • Detection teams can suppress specific sorts of warnings and limit the frequency of false positive detections based on the situation.

Advertisement

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More