Generating Hashsets

You can create your own hashsets using OSForensics.

The three most common methods are:

  1. Creating a hashset from an existing list of hashes (Quick Hashset).
  2. Creating a hashset from a folder of files.
  3. Creating a hashset from an application's files.

Hashsets enable quick and easy identification of known files. This could include a collection of known safe files (Ex: Windows OS files) or a collection of known unsafe files (Ex: Trojans). During a file scan/search, files can be checked against a hashset to identify whether these known files are present.

1) Creating a Hashset from an Existing List of Hashes

  1. Start up OSForensics and click the "Hash Sets" tab. Click "Quick Set..." and you will see the window below.
    Quick set window in OSForensics
  2. Provide the hashset with a suitable name and insert the hashes into the space provided (one hash per line). Click "Create".
    Create quick set
  3. As seen below, a database containg the hashset is created. It is possible to view the hashset in detail by double clicking it. Generated hashsets are typically found in C:\ProgramData\PassMark\OSForensics\hashSets
    View quick set

2) Creating a Hashset from a Folder of Files

  1. Start up OSForensics and click the "Hash Sets" tab. You will see the window below. Click "New DB" and provide the database with a suitable name and click "OK".
    Creating a new database in OSForensics (Method 2)
  2. Set the created database to Active, which will change the colour of the database icon to yellow.
    Make database active (Method 3)
  3. Click "New Set...". In the window that pops up, enter details of the hashset that is being created. Shown below are details that were entered for a hashset of Passmark help files. To add the folder that needs to be included in the hashset, click on "..." next to the "Folder" field and select the required folder. (Note: For more details of each of the fields, refer to the help file). Click "Create" to create the hashset.
    Create hashset of folder
  4. As seen below, the hashset is added to the active database. It is possible to view the hashset in detail by double clicking it. Generated hashsets are typically found in C:\ProgramData\PassMark\OSForensics\hashSets
    View hashset of folder

3) Creating a Hashset from an Application's Files

  1. Start up OSForensics and click the "Hash Sets" tab. You will see the window below. Click "New DB" and provide the database with a suitable name and click "OK".
    Creating a new database in OSForensics (Method 3)
  2. Set the created database to Active, which will change the colour of the database icon to yellow.
    Make database active (Method 3)
  3. Move to the "Create Signature" tab. Here, we generate file signatures before and after the installation of the application takes place on the system. In this example, we have created a hashset of Office 365 files. An initial signature was taken prior to the installation (Before365.OSFsig). This was followed by the installation of Office 365. A signature was then generated immediately after the installation (After365.OSFsig). These were saved as seen on the left side of the image below. Note: In the case where it is not possible to obtain a Before signature (Ex: For the installation of Windows on a blank hard drive) it is possible to use only the After/New signature by leaving the Before/Old signature blank in step 4 or use Method 2.
    Create file signatures
  4. Move to the "Compare Signature" tab. Here, we compare the before and after versions of signatures that were previously created. The result is a list of new/modified/deleted files from the installation. Hence, these are become the "known" files which forms the hashset.
    Compare file signatures
  5. On the same tab, click "Hashset...". On the New Hash Set window that pops up, enter details of the hashset that is being created. Shown below are details that were entered for the Office 365 hashset example (Note: For more details of each of the fields, refer to the help file). Click "Create" to create the hashset.
    Create hashset of application files
  6. Moving back to the "Hash Sets" tab, it is evident that the hashset has been added to the active database. It is possible to view the hashset in detail by double clicking it. Generated hashsets are typically found in C:\ProgramData\PassMark\OSForensics\hashSets
    View hashset of appliaction files