Wednesday, June 5, 2013

EnCase v7 Exported MD5 Values Meets Hash.Cymru.Com

The script helps me detect selected files within EnCase v7 and compare them to the hash.cymru.com hash database.

Download Here

I select the files I wish to compare within Encase v7.


Right click --> Entries --> Hash\Sig Selected...


MD5 --> OK


Sometimes there is a refresh issue with EnCase v7 and the hash value are not displayed after completion.  Refresh your view by selecting Viewing --> Evidence --> then switch back to Entry.
The MD5s should show.



Show-All


Save As from the far right drop down arrow.


MD5 only --> tab delimited --> output file --> OK


Extract the 7z file Hash_Comparison.7z to your desktop or where ever.


Start the start.cmd file by double clicking on it.


Enter the path to your export.txt file and select enter.

The export.txt file will be parsed the way hash.cymru.com like it.

It will compare all the MD5 and eventually depending on how many you sent will display the positive results under detection.txt.

See cymru.com for an explanation of what your looking at.