 Welcome back everyone today. We're going to be talking about h find which is a tool. It's part of the sleuth kit tool kit so h find is used to Basically make or index hash databases and then be able to search those hash databases for different hashes That's useful for a lot of different things. For example, we could have a database of hashes About either known good or known bad hashes So let's say known good or maybe files. We don't necessarily care about like a system file Once we know it's hash value then we can just kind of filter it out So we can't see it. It's not necessarily gone from our case But we just filter it so we don't have to it's not in our way while we're doing our investigation Known bad hash databases could be something like child exploitation or a virus or something like that if we have the hash value of Known data or data that we know is bad Then we can just do a quick search across a system And if we find that hash value, then we know we found or we're pretty confident. We found the the bad File basically so today we're going to be using H find which is part of the sleuth kit now if you haven't installed sleuth kit already We're using sleuth kit from the command line I am on a bun to Linux and I have the bun to Linux command line open So the commands are basically the same in Windows. It's just the paths will be a little bit different Okay, so I already have sleuth kit installed. We can test it by doing something like mmls, which is a sleuth kit mmls Which is a sleuth kit tool and then doing dash capital V And then it should tell you the sleuth kit version that you're running and I'm currently running 4 3 1 Okay, so the tool that we want is called h find so we can do h find capital V and then we It ran because it showed us the sleuth kit version. So that's good We know that it's installed and if we just do h find without any arguments we can find Well first off you must provide the source hash database location So we know when we need to provide source had a hash database Location which we haven't created yet And then you basically it gives us the usage menu. So h find all of the different arguments it takes So let's talk about a couple of these Right so One that I use quite a bit whenever I'm doing matching is quick mode. So instead of Whenever we whenever we match You'll see that it actually prints out the the hash value and whatever the name was of the file That was hashed if we're using an MD5 hash for example quick mode We'll just print out a one if it's found or a zero if it's not found. So if we're trying to script Matching hashes quick mode is actually really really useful for scripting these hash matches See DB name. It's to create a new database with a given name. We'll talk about that in a second or Yeah, we'll talk about that second and then a given hash Adds given hashes to the database. So if you have a hash database you want to add more hashes to the database You can use dash a f is the lookup file file with one hash per line to look up So you can put all of the hashes you want to search for in the database in a separate file And then each find will go through the entire file and tell you which hashes are actually already in the database And then I the database type can create an index file for the given hash database type now I actually use I database type the most because I already usually have a list of hashes that I want to convert into a database Okay, so I already have a list of hashes I want to convert into a database and then once I convert that into a hash database Then I want to usually use quick mode to be able to search through the hash database for a set of given hashes that I have so Yeah, basically we use dash I to create The index if we already have a list of hashes we want to use and then we use most of the time dash Q To do matching essentially game supported index types NSRL MD5 So we're going to use NSRL MD5 today In a sorrel shot one MD5 some we'll also do today and then in case an HK. So basically the ones that I use the most are the first Basically the first three. I I've used in case before but I don't use it that often or I use different tools So basically these first three I use quite often Okay, so let's start by making a list of hashes that we want to convert Into a hash database, right? So we're going to start by creating a list of hashes that we want to convert into a hash database So I will just do MD5 some which is a MD5 hashing tool That's built into or that's added included in most versions of Linux And then I'm just going to feed everything in my desktop So all of the files in the desktop I want to hash them and then I want to output that to let's call it test MD5 Okay, so here I'm creating a hash of all of the files inside my desktop or on my desktop right now And I'm piping all of those hash values into a file called test MD5 So if we do that, okay, we got some directory errors But if we do LS right so LS lists all of the files in the current directory and I can see my test MD5 So now I can do cat Test MD5 and I see my MD5 hash value and then the file that was hashed and in this case It gave the full path as well Okay, so now I want to convert this file cat test MD5 or test MD5 Into the hash database now It's not a lot of hashes, but I want to convert this into the the hash database so let's clear this out and I can do Now we need to do h find and the type of Well, let's just look at it So the type here the supported index types the type of database or the type of list of files that I have right now is MD5 sum Okay, so right now I want to do I Dash I which is create an index file and this index file is basically What helps us search over all of the hashes very quickly So I want to create this index file and the DB type is going to be MD5 sum So I can do h find H find dash I MD5 sum Before I do that. Let's look at the directory again. So L LS. I just have the hash list. Okay, so I can do mh find dash I MD5 sum and then test MD5 now what this is saying is use h find Create an index out of an MD5 sum hash database type Basically, and then the hash database itself. What is the hash database test MD5? Okay, so if we hit enter Then it says index created and if we look now we have test MD5 and this is the database and then we have Essentially the the index files the index files for This MD5 test MD5 hash database. So Basically, these index files are what help us Search very very quickly over the hash database. We still need the hash database because that's where all the hashes actually are But the index file is what helps us to search very quickly. It's what h h find uses. So now let's say I Do Say cat test MD5. So let's get one of these hashes. I want to let's say highlights PDF Okay, so I'm gonna select this highlights PDF MD5. I'm gonna copy it. So now We want to match. We want to use h find With the test MD5 database and I want to see if the hash If this hash value for highlights is inside the database. So if we search Yeah, okay, it gives us it gives us the the entry in the database back So it gave us the hash value plus The full path that was in the original database if the full path wasn't in the original database or it was just a dash or Whatever it would give us that information as well. So this was included in the original database Okay, so now let's see Instead of saying three five C. Let's say three six C and we there is no hash in the database at three six C I'm pretty sure So we shouldn't get anything nothing should come out. Okay, so Hash not found right so it shows us the hash three six C hash not found So we've changed it three five C. It was in the database It gives us the proper file and then three six C hash not found now You can see that this is useful for you know a human that can actually read hash not found But it's not very useful if you want to write code. So that's where That's where this quick mode comes in. So let's go back So if I do h find three five C again, and this is in the database and I want to do quick mode I want to do dash Q. I think it was dash QQ, right? So h find dash Q test MD five which is our database that we've indexed and then the hash that we We know is in the index and what we should get is one Okay, now that's very useful because if we're writing a script That's maybe hashing an image or hashing some files in a directory Then if the hash if the value returned is one then the hash match So do something with it if the value that is returned is zero The hash did not match. So do something else with it. So if you're used to writing if statements I think you can see that one and zero is much more handy than you know Hash not found or whatever. So I use dash Q Quite often whenever I'm trying to script these things. Okay, so so far We've basically done h find and if we just type it it shows us some options If you do h find dash I and then the database Sorry The type and then the database then this will create an index For that database it will create an index for that list of hashes that you have if you do H find and then the database test MD five and then the hash value that you want to find Then it will show you a match or not a match if you do h find Dash Q test MD five with a hash Then it will tell you that the hash it basically a one or zero was the hash found was the hash not found in the database Okay, so that lets us very quickly. I mean hashing you can hash data really really fast or quite fast So this lets us hash things very quickly and then use this to be able to filter things out or find things that are very interesting Okay, so that was Using MD five some now. I'm going to go back. I've downloaded the NSR L From NIST and this is basically a database. It's this in the NSR L file that text This is basically a database. Let's see if I can just do So I'm listing just the top portion of the NSR L file that text. This is a very very very large database of Hashes of files that are known to basically not be very interesting files that we can Mostly safely ignore there are some things like I think hacker tools that are included but Mostly really these are things that we don't really care about that are kind of like default files inside operating systems or you know Yeah, it comes with programs or whatever. So these are tend to be files that we can safely filter out or safely ignore Now we don't necessarily use this to delete data from our case We use it to filter it out so we don't see it, but then we could if we need to Show the files and add them back into our investigation if we actually need to now look at what we have here We have first off the shaw one of the file. We have an MD five hash of the file We have a CRC 32 we have the file name file size product code op system code and special code So basically the op system codes special code Well the op system code is for the operating system product code is whatever product the file came in so for example this Apparently JPEG images came in some program. They were default images inside a program So they were you know included so we would have to look up what the op system code and product code is here The file size Yeah, file size is just file size file name we can see notice. There's no file path CRC 32 is just a basically a small check Yeah, it's just a small check basically and then what we're interested in today is MD 5 and Potentially shaw one but basically MD 5 so we'll do MD 5 right now so I'm gonna clear this out and I have let's do h find again and I have basically in SRL MD 5 That's what I that's the database that I want to make or that's the index that I want to make so I have We do LS. I have this NSR L file and it is a large file. Let's do LS dash LHA to list some More details about the file. So if we look at NSR L file, we can see that it's 13 Gigabytes, right? It's a big it's a big file with a lot of hashes in it Remember we use these to kind of filter out what we don't want to see they're not really interesting files So I want to make a database of this NSR L file dot txt. So we can do h find dash I NSR L MD 5 because I'm going to index the MD 5 Portion of this in a NSR L file. Okay, then we type NSR L file. We actually give it the database So here we have h find dash I to create the index the index type is NSR L MD 5 And then the actual database is NSR L file dot txt Okay, so now we can hit enter and it's going through an indexing and I'll let that run I'm not sure how long it's going to take but we'll come back whenever it's done Okay, so that index I mean I skipped ahead, but it took about I would say Maybe four or five minutes on my on my system So yeah, I mean it doesn't take a long time to index but it does take some some It's like power I guess so let's see. Let's go back and do Let's do head so now if I search let me grab This hash value So I'm just taking one of the hash values to see if we can find See if we can actually find it. So now we can do h find instead of dash I I'm didn't do dash Q So I'm kind of quick mode, right? So let me let me clear this out so h find dash Q and then the the database is NSR L file dot txt and then the hash that I want to find is This one. Okay, so if I hit enter, okay, we got a one Remember this is quick mode. So it's going to be one is found if we change this to be Zero, okay, so we know that the hash with this with a B is not in the database. Okay, so this is a way NSR L Hash list is a very very common list that we use in a lot of different tools The next one of the next videos. I'm going to make is about autopsy and including a hash database a known good hash database in autopsy And this is one of the first steps. We need to create an index. We need to we need to create it Sorry a hash database and that hash database needs to be indexed. So that's it for using h find from the command line Thank you very much. If you like this video, please subscribe for more