Hash sets


New Member
Jan 14, 2007

I've been playing with the NSRL hashsets in EnCase and finally am comfortable enough to actually filter things out. I was wondering if anyone else used any other hashsets that they liked when doing a case. I've seen other lists, but I have yet to venture off researching them. Just thought I would get anyone's opinion on what they use.




Jan 2, 2006
Hi WO,

FTK also has a set, partly filled with NSRL items. We use that combined with case specific set we create ourselves. I know LE people have access to hash sets related to CP material, but unless you are LE you normally won't get them.

We also make our own hash sets, this is part because you run into country specific issues (NSRL is mostly based on english software). And internally we always like to discuss if we should "trust" foreign made hash sets. Do you really know what you are filtering out if the source of the hashset cannot be validated? But that's open for debate ;)



New Member
Jan 14, 2007
Creating my own hash sets might be the way to go in the future, especially in certain environments. I have been reading a lot about hash values, and since I deal with TBs of information on a monthly basis, filtering down information has become my top priority. I've liked some of the ideas I have read about, especially since I use to do IT support and knew we always had a goodies bag for all of our new machines that we rolled out software to. Getting access to those, hashing them, and culling them out of my data at the end of the day would help a lot and save my clients time trying to *manually* determine what files they want examined and those which they deam irrelevant.

As for the CP stuff, hope I don't have to deal with that any time soon. While I like this field, I don't think I could work with that stuff on a daily basis - it would just be too un-nerving. Luckily I haven't run against any yet.

The debate on trusting a source is always fun, but at some point, lines have to be drawn. For me, it would be impracticle to comb through and generate all the hash values myself, verifying them all. I know that is not what you do, and that you are doing it for non-english based products, but at this point, unless I get more guys, there is no way I could take on that kind of task and have simply resolved to keeping updated on what the current industry trend is.

In any case, back to research. Thanks for the reply.


About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu