[sleuthkit-users] Good vs. Bad Hashes

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Is anyone interested in looking into the best way to manage hashes? The 
definition of "good" versus "bad" is relative to the current 
investigation and I don't know the best way to handle this in The 
Sleuth Kit and Autopsy.  There could be a single database with 
categories of hashes and you choose which are good and which are bad 
for that investigation (similar to the new Forensic Hash Database that 
was announced and NSRL).  Or, you could import tens of hash databases 
and identify them as bad or good (like hashkeeper).

I think hashkeepr is LE-only, so I would rather focus on using NSRL and 
custom hashes made by md5sum.  If anyone is interested in working on a 
workable solution to this, let me know.

brian