 Welcome back everyone. Today we're going to be talking about hfind, which is a tool. It's part of the sleuthkit toolkit. So hfind is used to basically make or index hash databases and then be able to search those hash databases for different hashes. That's useful for a lot of different things. For example, we could have a database of hashes about either known good or known bad hashes. So let's say known good or maybe files we don't necessarily care about like a system file. Once we know it's hash value, then we can just kind of filter it out. So we can't see it. It's not necessarily gone from our case, but we just filter it so we don't have to it's not in our way while we're doing our investigation. Known bad hash databases could be something like child exploitation or a virus or something like that. If we have the hash value of known data or data that we know is bad, then we can just do a quick search across a system. And if we find that hash value, then we know we found or we're pretty confident we found the bad file basically. So today we're going to be using hfind, which is part of the sleuthkit. Now, if you haven't installed sleuthkit already, we're using sleuthkit from the command line. I am on a bunch to Linux and I have the bunch to Linux command line open. So the commands are basically the same in Windows. It's just the paths will be a little bit different. Okay. So I already have sleuthkit installed, we can test it by doing something like mmls, which is a sleuthkit mmls, which is a sleuthkit tool, and then doing dash capital V. And then it should tell you the sleuthkit version that you're running. And I'm currently running four, three, one. Okay. So the tool that we want is called hfind. So we can do hfind capital V. And then we it ran because it showed us the sleuthkit version. So that's good. We know that it's installed. And if we just do hfind without any arguments, we can find, well, first off, you must provide the source hash database location. So we know when we need to provide source had a hash database location, which we haven't created yet. And then you basically it gives us the usage menu. So hfind, all of the different arguments it takes. So let's talk about a couple of these. Right. So one that I use quite a bit whenever I'm doing matching is quick mode. So instead of whenever we whenever we match, you'll see that it actually prints out the the hash value and whatever the name was of the file that was hashed, if we're using an MD5 hash, for example, quick mode will just print out a one, if it's found or a zero if it's not found. So if we're trying to script matching hashes, quick mode is actually really, really useful for scripting these hash matches. CDB name, it's to create a new database with the given name. We'll talk about that in a second or yeah, we'll talk about that a second and then a given hash adds given hashes to the database. So if you have a hash database, you want to add more hashes to the database, you can use dash a f is the lookup file file with one hash per line to look up so you can put all of the hashes you want to search for in the database in a separate file and then H find will go through the entire file and tell you which hashes are actually already in the database. And then I, the database type can create an index file for the given hash database type. Now, I actually use I database type the most because I already usually have a list of hashes that I want to convert into a database. Okay, so I already have a list of hashes I want to convert into a database. And then once I convert that into a hash database, then I want to usually use quick mode to be able to search through the hash database for a set of given hashes that I have. So, yeah, basically, we use dash I to create the index, if we already have a list of hashes we want to use. And then we use most of the time dash q to do matching essentially, okay, supported index types in srl md5. So we're going to use in srl md5 today, in srl sha1, md5 sum, we'll also do today and then in case and HK. So basically the ones that I use the most are the first, basically the first three, I have used in case before, but I don't use it that often, or I use different tools. So basically these first three I use quite often. Okay, so let's start by making a list of hashes that we want to convert into a hash database, right? So we're going to start by creating a list of hashes that we want to convert into a hash database. So I will just do md5 sum, which is a md5 hashing tool that's built into or that's added, included in most versions of Linux. And then I'm just going to feed everything in my desktop. So all of the files in the desktop, I want to hash them. And then I want to output that to let's call it test md5. Okay, so here I'm creating a hash of all of the files inside my desktop or on my desktop right now. And I'm piping all of those hash values into a file called test md5. So if we do that, okay, we got some directory errors. But if we do ls, right, so ls lists all of the files in the current directory, and I can see my test md5. So now I can do cat test md5. And I see my md5 hash value and then the file that was hashed. And in this case, it gave the full path as well. Okay, so now I want to convert this file cat test md5 or test md5 into the hash database. Now it's not a lot of hashes, but I want to convert this into the the hash database. So let's clear this out. And I can do now we need to do h find and the type of well, let's just look at it. So the type here, the supported index types, the type of database or the type of list of files that I have right now is md5 sum. Okay, so right now I want to do i dash i, which is create an index file. And this index file is basically what helps us search over all of the hashes very quickly. So I want to create this index file and the db type is going to be md5 sum. So I can do h find h find dash i md5 sum. Before I do that, let's look at the directory again. So l ls I just have the hash list. Okay, so I can do m h find dash i md5 sum, and then test md5. Now what this is saying is use h find create an index out of an md5 sum hash database type, basically, and then the hash database itself. What is the hash database test dot md5. Okay, so if we hit enter, then it says index created. And if we look, now we have test md5. And this is the database. And then we have essentially the the index files, the index files for this md5 test md5 hash database. So basically, these index files are what help us search very, very quickly over the hash database, we still need the hash database, because that's where all the hashes actually are. But the index file is what helps us to search very quickly. It's what h find uses. So now let's say I do say cat test md5. So let's get one of these hashes I want, let's say highlights PDF. Okay, so I'm going to select this highlights PDF md5, I'm going to copy it. So now we want to match, we want to use h find with the test md5 database. And I want to see if the hash, if this hash value for highlights is inside the database. So if we search, yeah, okay, it gives us, it gives us the entry in the database back. So it gave us the hash value plus the full path that was in the original database. If the full path wasn't in the original database, or it was just a dash or whatever, it would give us that information as well. So this was included in the original database. Okay, so now let's see, instead of saying three five C, let's say three six C, and we there is no hash in the database at three six C, I'm pretty sure. So we shouldn't get anything nothing should come out. Okay, so hash not found, right? So it shows us the hash three six C hash not found. So we've changed it three five C, it was in the database, it gives us the proper file, and then three six C hash not found. Now you can see that this is useful for, you know, a human that can actually read hash not found, but it's not very useful if you want to write code. So that's where that's where this quick mode comes in. So let's go back. So if I do hfind three five C again, and this is in the database, and I want to do quick mode, I want to do dash q. I think it was dash q, right? So hfind dash q test md5, which is our database that we've indexed, and then the hash that we we know is in the index, and what we should get is one. Okay. Now, that's very useful, because if we're writing a script, that's maybe hashing an image or hashing some files in a directory, then if the hash, if the value returned is one, then the hash matched. So do something with it. If the value that is returned is zero, the hash did not match. So do something else with it. So if you're used to writing if statements, I think you can see that one and zero is much more handy than, you know, hash not found or whatever. So I use dash q quite often whenever I'm trying to script these things. Okay. So so far, we've basically done hfind. And if we just type it, it shows us some options. If you do hfind dash I, and then the database, sorry, the type, and then the database, then this will create an index for that database, it will create an index for that list of hashes that you have. If you do hfind, and then the database test MD five, and then the hash value that you want to find, then it will show you a match or not a match. If you do hfind dash q test MD five with a hash, then it will tell you that the hash it basically a one or zero was the hash found was the hash not found in the database. Okay. So that lets us very quickly I mean hashing you can hash data really, really fast or quite fast. So this lets us hash things very quickly, and then use this to be able to filter things out or find things that are very interesting. Okay. So that was using MD five some now I'm going to go back I've downloaded the NSRL from NIST. And this is basically a database it's this NSRL file that text. This is basically a database. Let's see if I can just do file. So I'm listing just the top portion of the NSRL file that text this is a very, very, very large database of hashes of files that are known to basically not be very interesting files that we can mostly safely ignore there are some things like I think hacker tools that are included but mostly really these are things that we don't really care about that are kind of like default files inside operating systems or you know comes with programs or whatever. So these are tend to be files that we can safely filter out or safely ignore. Now we don't necessarily use this to delete data from our case we use it to filter it out so we don't see it but then we could if we need to show the files and add them back into our investigation if we actually need to. Now look at what we have here we have first off the SHA-1 of the file we have an MD5 hash of the file we have CRC32 we have the file name file size product code op system code and special code so basically the op system code special code well the op system code is for the operating system product code is whatever product the file came in so for example this apparently JPEG images came in some program they were default images inside a program so they were you know included so we would have to look up what the op system code and product code is here the file size file size is just file size file name we can see notice there's no file path CRC32 is just a basically a small check yeah it's just a small check basically and then what we're interested in today is MD5 and potentially SHA-1 but basically MD5 so we'll do MD5 right now so I'm going to clear this out and I have let's do hfind again and I have basically NSRL MD5 that's what I that's the database that I want to make or that's the index that I want to make so I have if we do LS I have this NSRL file and it is a large file let's do LS-LHA to list some more details about the file so if we look at NSRL file we can see that it's 13 gigabytes right it's a big it's a big file with a lot of hashes in it remember we use these to kind of filter out what we don't want to see they're not really interesting files so I want to make a database of this NSRL file dot txt so we can do hfind-i NSRL MD5 because I'm going to index the MD5 portion of this NSRL file okay then we type NSRL file we actually give it the database so here we have hfind-i to create the index the index type is NSRL MD5 and then the actual database is NSRL file dot txt okay so now we can hit enter and it's going through an indexing and I'll let that run I'm not sure how long it's going to take but we'll come back whenever it's done okay so that index uh I mean I skipped ahead but it took about I would say maybe four or five minutes on my on my system um so yeah I mean it doesn't take a long time to index but it does take some some I'd say power I guess so uh let's see let's go back and do let's do ahead so now if I search let me grab this hash value so I'm just taking one of the hash values to see if we can find um see if we can actually find it so now we can do hfind instead of dash i I'm going to do dash q so I'm kind of quick mode right so let me let me clear this out so hfind-q and then the the database is NSRL file dot txt and then the hash that I want to find is this one okay so if I hit enter okay we got a one remember this is quick mode so it's going to be one is found if we change this to b zero okay so we know that the hash with this with a b is not in the database okay so uh this is a way the NSRL hash list is a very very common list that we use in a lot of different tools uh the next one of the next videos I'm going to make is about um autopsy and including a hash database a known good hash database in autopsy um and this is one of the first steps we need to create an index we need to um we need to create it sorry a hash database uh and that hash database needs to be indexed uh so that's it for using hfind from the command line thank you very much