HashKeeper
Encyclopedia
HashKeeper is a database
application of value primarily to those conducting forensic examinations of computer
s on a somewhat regular basis.
file signature algorithm
to establish unique numeric identifiers (hash values) for files "known to be good" and "known to be bad."
The HashKeeper application was developed to reduce the amount of time required to examine seized(confiscated) hard drives. It allows an examiner to examine a file once, a process that, at best, could take half a minute or more, and never repeat that effort throughout a career of examining hard drives.
HashKeeper compares hash values of "known to be good" files against the hash values of files
on a seized computer system. Where those values match "known to be good" files, the examiner can say, with statistical certainty, that the corresponding files on the seized system have been previously examined and found to be "good" and therefore do not need to be re-examined.
Where those values match "known to be bad" files, the examiner can say, again with statistical certainty, that the corresponding files on the seized system are bad and therefore require scrutiny. More importantly, however, the examiner knows that at least one other law enforcement agency in the world has encountered the same files. This may indicate the presence of a network of people sharing these "known to be bad" files, where at least two of the nodes are readily identifiable.
(NDIC)—a component of the United States Department of Justice
—in 1996, it was the first large scale source for hash values of "known to be good" and "known to be bad" files. HashKeeper was, and still is, the only community effort based upon the belief that members of state, national, and international law enforcement agencies can be trusted to submit properly categorized hash values. One of the first community sources of "known to be good" hash values was the IRS Internal Revenue Service. The first source of "known to be bad" hash values was the Luxembourg
Police who contributed hash values of recognized child pornography.
, military
and other government agencies throughout the world. It is available to the public by sending a Freedom of Information Act request to NDIC.
.
Database
A database is an organized collection of data for one or more purposes, usually in digital form. The data are typically organized to model relevant aspects of reality , in a way that supports processes requiring this information...
application of value primarily to those conducting forensic examinations of computer
Computer
A computer is a programmable machine designed to sequentially and automatically carry out a sequence of arithmetic or logical operations. The particular sequence of operations can be changed readily, allowing the computer to solve more than one kind of problem...
s on a somewhat regular basis.
Overview
HashKeeper uses the MD5MD5
The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity...
file signature algorithm
Algorithm
In mathematics and computer science, an algorithm is an effective method expressed as a finite list of well-defined instructions for calculating a function. Algorithms are used for calculation, data processing, and automated reasoning...
to establish unique numeric identifiers (hash values) for files "known to be good" and "known to be bad."
The HashKeeper application was developed to reduce the amount of time required to examine seized(confiscated) hard drives. It allows an examiner to examine a file once, a process that, at best, could take half a minute or more, and never repeat that effort throughout a career of examining hard drives.
HashKeeper compares hash values of "known to be good" files against the hash values of files
Computer file
A computer file is a block of arbitrary information, or resource for storing information, which is available to a computer program and is usually based on some kind of durable storage. A file is durable in the sense that it remains available for programs to use after the current program has finished...
on a seized computer system. Where those values match "known to be good" files, the examiner can say, with statistical certainty, that the corresponding files on the seized system have been previously examined and found to be "good" and therefore do not need to be re-examined.
Where those values match "known to be bad" files, the examiner can say, again with statistical certainty, that the corresponding files on the seized system are bad and therefore require scrutiny. More importantly, however, the examiner knows that at least one other law enforcement agency in the world has encountered the same files. This may indicate the presence of a network of people sharing these "known to be bad" files, where at least two of the nodes are readily identifiable.
History
Created by the National Drug Intelligence CenterNational Drug Intelligence Center
The U.S. National Drug Intelligence Center , established in 1993, is a component of the U.S. Department of Justice and a member of the Intelligence Community...
(NDIC)—a component of the United States Department of Justice
United States Department of Justice
The United States Department of Justice , is the United States federal executive department responsible for the enforcement of the law and administration of justice, equivalent to the justice or interior ministries of other countries.The Department is led by the Attorney General, who is nominated...
—in 1996, it was the first large scale source for hash values of "known to be good" and "known to be bad" files. HashKeeper was, and still is, the only community effort based upon the belief that members of state, national, and international law enforcement agencies can be trusted to submit properly categorized hash values. One of the first community sources of "known to be good" hash values was the IRS Internal Revenue Service. The first source of "known to be bad" hash values was the Luxembourg
Luxembourg
Luxembourg , officially the Grand Duchy of Luxembourg , is a landlocked country in western Europe, bordered by Belgium, France, and Germany. It has two principal regions: the Oesling in the North as part of the Ardennes massif, and the Gutland in the south...
Police who contributed hash values of recognized child pornography.
Availability
HashKeeper is available, free-of-charge, to law enforcementLaw enforcement agency
In North American English, a law enforcement agency is a government agency responsible for the enforcement of the laws.Outside North America, such organizations are called police services. In North America, some of these services are called police while others have other names In North American...
, military
Military
A military is an organization authorized by its greater society to use lethal force, usually including use of weapons, in defending its country by combating actual or perceived threats. The military may have additional functions of use to its greater society, such as advancing a political agenda e.g...
and other government agencies throughout the world. It is available to the public by sending a Freedom of Information Act request to NDIC.
Source
HashKeeper Overview, National Drug Intelligence CenterNational Drug Intelligence Center
The U.S. National Drug Intelligence Center , established in 1993, is a component of the U.S. Department of Justice and a member of the Intelligence Community...
.