Hash Sets

Download hash sets and place them "\user\Documents\Forensic Explorer\HashSets\" folder. Compatible Hash Set formats are:

  • Forensic Explorer.edb3;
  • EnCase.hash (EnCase 6).

Forensic Explorer uses hash set data sourced from www.hashsets.com. Hash sets labeled "With known NSRL" have "most of the US Governments hash values pertaining to that particular operating system plus everything we have found that the US Government is currently unaware of as a result of our own hash processing after installing and analyzing operating systems" (HashSets.com).

Download Hash Sets

Hash Set Name: Encase_unique_MD5_MS_Windows_with_known_NSRL.hash
Release Date: 10 February 2013
Source: HashSets.com
Format:Guidance Software Encase (v6)
Download: Licensed users contact support@getdata.com.
About: Contains non-threatening known Windows Operating System file hash values.
Hash Set Name: US_Government_Hash_with_known_NSRL.hash
Release Date: 10 February 2013
Source: HashSets.com
Format:Guidance Software Encase (v6)
Download: Here (13 mb)
About: "Contains more than 746,000 common non-threatening known hash values consisting of US Government (federal, state, local and military) publicly accessible website images, logos, multimedia files, office documents (.doc, .pdf, .xls, .ppt, etc). These hash values can be utilized to assist in the elimination of non-threatening files during computer forensic examinations (eDiscovery, Malware, System Compromise, etc)". (source: HashSets.com)
Hash Set Name: Malware_Known_248528.hash
Release Date: 4 November 12
Source: HashSets.com
Format:Guidance Software Encase (v6)
Download: Here (4 mb)
About: Malware.
Hash Set Name: GetData[Windows].edb3
Release Date: 4 June 13
Source: HashSets.com
Download: Here (399 mb)
About: Contains non-threatening known Windows Operating System file hash values.
This hash set is large because it contains information additional to the hash value, including the file name and size. Forensic Explorer will make use of this additional information in future versions. At present, the "Encase_unique_MD5_MS_Windows_with_known_NSRL.hash" file listed above will serve the same purpose.