HashKeeper is a database application of value primarily to those conducting forensic examinations of computers on a somewhat regular basis.
Contents[hide] |
HashKeeper uses the MD5 file signature algorithm to establish unique numeric identifiers (hash values) for files "known to be good" and "known to be bad."
The HashKeeper application was developed to reduce the amount of time required to examine seized(confiscated) hard drives. It allows an examiner to examine a file once, a process that, at best, could take half a minute or more, and never repeat that effort throughout a career of examining hard drives.
HashKeeper compares hash values of "known to be good" files against the hash values of files on a seized computer system. Where those values match "known to be good" files, the examiner can say, with statistical certainty, that the corresponding files on the seized system have been previously examined and found to be "good" and therefore do not need to be re-examined.
Where those values match "known to be bad" files, the examiner can say, again with statistical certainty, that the corresponding files on the seized system are bad and therefore require scrutiny. More importantly, however, the examiner knows that at least one other law enforcement agency in the world has encountered the same files. This may indicate the presence of a network of people sharing these "known to be bad" files, where at least two of the nodes are readily identifiable.
Created by the National Drug Intelligence Center (NDIC)βa component of the United States Department of Justiceβin 1996, it was the first large scale source for hash values of "known to be good" and "known to be bad" files. HashKeeper was, and still is, the only community effort based upon the belief that members of state, national, and international law enforcement agencies can be trusted to submit properly categorized hash values. One of the first community sources of "known to be good" hash values was the IRS Internal Revenue Service. The first source of "known to be bad" hash values was the Luxembourg Police who contributed hash values of recognized child pornography.
HashKeeper is available, free-of-charge, to law enforcement, military and other government agencies throughout the world. It is available to the public by sending a Freedom of Information Act request to NDIC.
HashKeeper Overview, National Drug Intelligence Center.