 Welcome back everyone. Today I'm going to talk about how to use hfind part of the sleuthkit utilities to search quickly search through a list of hashes that are already in a file. So in this scenario, we already have a database that's been indexed by hfind. And we have a text file that contains a list of hashes. And we want to check all of the hashes at the same time. So the first thing I need to do, I'm going to open up command line in Windows. And let's go to the desktop. So there's a couple different files in the desktop. And I'm going to hash all of these just so we have something to put in our hash database. So I'm going to use MD5 sum. So I have MD5 sum installed from core utilities in Windows. And there's another video about how to install core utilities if you want basic Linux commands in Windows. So MD5 sum star. So I'm going to hash all of the files in the on the desktop right now. And I'm going to save this to a file called hashes.md5. Yeah, hashes.md5. Okay, so hit enter. And then one said permission not denied. So I'm going to use another utility from core utilities called cat. And that basically just shows me what's inside of a file we just created. So if I do cat hashes.md5, then I can see all of the hashes that I just created. So we have the file name plus the MD5 hash value. Okay, so now we have what we'll call this is our known database. Okay, so this is our known database. So what I want to do now is create an index of the database so I can use it this database with hfind. So if we type hfind, so if I do dash V, we can see the version and just hfind by itself and it will show us the help menu. Okay, so to create an index, I need to use the dash I switch and then give it the DB type. Now the DB type can be found here. So supported index types include nsrlmd5, so from the nsrl hash database known hash databases, nsrl SHA1, md5 sum in case or HK. Well, mine is obviously md5 sum. It's an md5 sum hash database that we have. Okay, so that's the format. So I need to give it dash I, the DB type is md5 sum, and then this will create an index file for a given hash database type. Okay, so let's go ahead and try to run that then. Then I type hfind dash I, md5 sum, and then the file that I saved everything to and I saved it into hashes.md5, hashes.md5. Okay, so here hfind is the command dash I switch says to index, the type of index is md5 sum or the type of database is md5 sum, and then the file with all of the hashes is hashes.md5. Okay, so I hit enter and then the index was created. And if I look, since we're on the desktop, I have this md5.idx file and md5.idx2 file. So this is my original hash database, my known hashes. This is the index file. And these are the two index files that hfind created. Now these index files will be used to be able to do faster, more efficient lookups over all of the hashes. So indexing just greatly speeds up hash searching. In our case, we only have like six hashes in our file, a few more than six, but we can still search very quickly. But if we have millions of hashes, the index is mandatory if you want to be able to search it fast enough. Okay, so now with hfind, I have, let's try, let me copy this Rufus hash value. Okay, so I'm copying the Rufus hash value that we created before. And I want to test this hash value to see if it is in our database. So I can run hfind, and then give it the database that you have. So hashes.md5, that's our database. And then the hash value that you want to check. Okay, so if I hit enter, then I can see this actually basically capitalized everything and gave me a name back for the file that this hash corresponds to. So that is a match. Now if I do it another way, we can do quick mode. And in quick mode, one is printed if it's found, otherwise it's zero. So I tend to use quick mode. So if we do the same command, just with dash q, then we should get a one, right, because it should be found, right. So here we ran it with quick mode, and we just get a one. So the hash was found in the database. Okay, now we can do a quick check to make sure that our program is actually working correctly. So instead of 937, I'm going to delete seven and just add six. So the hash has actually changed, not a lot, but it's changed a little bit. So we can search again. Let me do not quick mode first. So normal search mode, and it says hash not found. Well, that's right, because the hash is not in our database. And if we do the quick mode with the bad hash dash q, we should get a zero. So I tend to use q when I'm scripting. Actually, I tend to use q all the time. I would rarely just search for something like hash not found unless I was just searching for one hash individually. Okay, so that's how we can index and search. But the goal here is to be able to look up a list of hashes. So I have another file that I've created called suspect.md5sum. And we have a couple different files. Some are in our hash database, some are not in our hash database, but I want to check all of these hash values. Now, this file has one hash, one md5 hash on each line of the text file. Okay, so this is just a normal text file with one hash on each line. So let's check the hfind help again. So what we can do is hfind and then I need to give it we can give it the dash f switch and a lookup file, right? So we can give it a file and the file should have one hash per line to look up. Okay, so I can give it the file with one hash per line to look up. But the tricky thing here is we need to look at how we actually run this command. And before I gave it the database, and then the hash that I was interested in. But you notice that dash i comes before the database file. So I actually have to put the database, sorry, the dash f comes before the database file. So I have to put the file, the lookup file before the database file. So let's go ahead and try to run this. So hfind, and then dash f, because I'm going to feed it a file of hashes, my hashes are called suspect dot md5 sum, right? And then I need to give it the database name. And the database name was hashes dot md5. Okay, so here we have the hfind command, the switch that we want to use is dash f. And then I want to give the file that contains a list of hashes with each hash on one line. And then give it hashes dot md5, which is our hash database that we're comparing everything against. Okay, so then if I hit enter, then it's going to cancel out. And I'll talk about that a second. So here, a couple of hashes were found. So we have desktop.ini. Well, that was just on our desktop, we have howlemnextcb2, that was found. So these two top hashes were found. Then we have one file that was not found. And then we have a few more that were found. And then another file that was not found and another file that was. And as you can probably guess, I just kept all of the same files, I just changed one number in each of the hashes. Once I changed the number, the hash is no longer found because it doesn't match. Okay, so this demonstrates how you can take a single file with all of the hashes that you're interested in and feed it into hfind. And it will do a comparison of each of the hashes in that file. Okay, now whenever I ran this, and I'll run it again, you'll notice that hfind stopped working. And the biggest, the strangest thing about Windows that I've found is that whenever you're dealing with text files, Windows will insert some crazy characters sometimes. So do not use, like here I'm using notepad to at least list the files, do not use notepad to list the files. I recommend a programming tool like atom.io, for example, or notepad++ or some sort of programming tool that will not add strange. So here we go, atom for Windows, you can download it for free. And this will not add additional Windows specific characters. So the biggest problem I have is with Windows text files is that Windows tends to add things quite a bit, add special characters a lot or different encoding formats. So the reason that hfind is crashing here is because I think there's probably a special character that was added by notepad at the end. So hfind doesn't know actually how to end or just crashes on the input basically. So be aware that Windows with text files, you should always be using a programming tool that way it doesn't add additional characters. And then, yeah, so that's pretty much it. So just make a list of all of your hashes that you want to search. And then you can also dump another list of files that you need to check against that original database for later searching. Now, later, I'll also talk about with hfind how to create a database and add additional hashes to the database. But I think I'll talk about that later. For now, I wanted to focus on having a lookup file with hashes on each line and doing a lookup against your database. So that's it for today. Thank you very much.