HashKeeper

HashKeeper

HashKeeper is a database application of value primarily to those conducting forensic examinations of computers on a somewhat regular basis.

Overview

HashKeeper uses the MD5 file signature algorithm to establish unique numeric identifiers (hash values) for files "known to be good" and "known to be bad."

The HashKeeper application was developed to reduce the number of hours required to examine seized hard drives. It allows an examiner to examine a file once, a process that, at best, could take half a minute or more, and never repeat that effort throughout a career of examining hard drives.

HashKeeper compares hash values of "known to be good" files against the hash values of files on a seized computer system. Where those values match "known to be good" files, the examiner can say, with statistical certainty, that the corresponding files on the seized system have been previously examined and found to be "good" and therefore do not need to be re-examined thereby saving 30 seconds of effort. [While the savings of a minute on the examination of a hard drive is insignificant, consider instead the savings of half a minute on 50% of the files on a system that holds 150,000 files.]

Where those values match "known to be bad" files, the examiner can say, again with statistical certainty, that the corresponsing files on the seized system are bad and therefore require scrutiny. More importantly, however, the examiner knows that at least one other law enforcement agency in the world has encountered the same files. This may indicate the presence of a network of people sharing these "known to be bad" files, where at least two of the nodes are readily identifiable.

History

Created by the National Drug Intelligence Center (NDIC)—a component of the United States Department of Justice—in 1996, it was the first large scale source for hash values of "known to be good" and "known to be bad" files. HashKeeper was, and still is, the only community effort based upon the belief that members of state, national, and international law enforcement agencies can be trusted to submit properly categorized hash values. One of the first contributors of "known to be good" hash values was Dan Mares while he still worked for the [http://www.irs.gov Internal Revenue Service] and afterwards when he was in private practice (www.maresware.com). The first contributor of "known to be bad" hash values was the Luxembourg Police who contributed hash values of recognized child pornography.

Availability

HashKeeper is available, free-of-charge, to law enforcement, military and other government agencies throughout the world. It is available to the public by sending a Freedom of Information Act request to NDIC.

Source

"HashKeeper Overview", National Drug Intelligence Center.

References


Wikimedia Foundation. 2010.

Игры ⚽ Нужен реферат?

Look at other dictionaries:

  • HashKeeper — est une application de base de données ayant pour objectif premier d aider à la criminalistique informatique (computer forensic en anglais). Cette application a été créée en 1996 par le National Drug Intelligence Center, une composante du… …   Wikipédia en Français

  • National Drug Intelligence Center — The U.S. National Drug Intelligence Center (NDIC), established in 1993, is a component of the U.S. Department of Justice and a member of the Intelligence Community. The General Counterdrug Intelligence Plan, implemented in February 2000,… …   Wikipedia

  • List of digital forensics tools — During the 1980s, most of digital forensic investigations consisted of live analysis , examining digital media directly using non specialist tools. In the 1990s several commercial and freeware tools (both hardware and software) were created to… …   Wikipedia

  • Hash function — A hash function is any well defined procedure or mathematical function for turning some kind of data into a relatively small integer, that may serve as an index into an array. The values returned by a hash function are called hash values, hash… …   Wikipedia

  • Computer forensics — Forensic science Physiological sciences …   Wikipedia

  • National Software Reference Library — Abbreviation NSRL Type GO Parent organization NIST Website …   Wikipedia

  • Fingerprint (computing) — In computer science, a fingerprinting algorithm is a procedure that maps an arbitrarily large data item (such as a computer file) to a much shorter bit string, its fingerprint, that uniquely identifies the original data for all practical… …   Wikipedia

  • Database forensics — Forensic science Physiological sciences …   Wikipedia

  • Digital forensic process — A Tableau forensic write blocker The Digital forensic process is a recognised scientific and forensic process used in digital forensics investigations.[1][2] Forensics researcher Eoghan Casey …   Wikipedia

  • Digital forensics — Forensic science Physiological sciences …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”