HK_HASH

PURPOSE   OPERATION   OPTIONS   COMMAND LINES  


Author: Dan Mares, dmares @ maresware . com
Portions Copyright (2009) Mares and Company, LLC
Phone: (770)242-6687 X119
Last Update: April 21, 2009

PURPOSE

The program HK_HASH.exe is designed to calculate the 128 bit MD5 hash of file(s) and create a comma delimited (text) output file that is compatable with the hashkeeper import function. The HK_HASH program is a stripped down version of the Maresware hash program with modifications to the output record which allow hashkeeper to import the file.

HK_HASH can calculate the hash value for a single file, for files in an entire directory, files in an entire path, files on an entire logical drive or drives. Specific file types can be specificed with the -f option -f filetype.*

The calculation of hash values of files have a number of different uses. The output of this program is specially designed to be compatable with the hashkeeper database program. For other uses, the full version of hash might be more applicable.

For full explanations and definitions of when hash values are useful, you are encouraged to research the hash program. This document is intended strictly for the hashkeeper users.

The of the program is a comma delimited record intended solely to be imported into the hashkeeper data base using the import function.


Top

OPERATION

Even though hk_hash is a 32 bit program it MUST be run from the command line. It will run under any of the current Windows operating systems.

The user provides HK_HASH with appropriate options on the command line. HK_HASH can run from a batch file which means, for forensic purposes it can run unattended.

Run without any options,

(C:>HK_HASH)

HK_HASH defaults to calculate the md5 hash values of all files in the current default directory, and all sub-directories. This output is NOT hashkeeper compatable.

The user supplies various options to modify or enhance the program operation. The hashkeeper required options are noted in the options section.

If no file type is provided, the default is all files (-f *.*).
If no path is provided, the current default directory (-p .) is used as a starting point, and a recursive hash is done from there. Options are available for modifying how the program searches for files.

Depending on the options supplied by the user, the program can calculate the hash of a single file, or entire drives.

OUTPUT FORMAT

The output record should be named with the syntax: outputname_hsh.txt
In order to be hashkeeper compatable, the _hsh.txt should be included

The output record format is:

"file_id","hashset_id","file_name","directory","hash","file_size","date_modified","time_modified","time_zone","comments","date_accessed","time_accessed"
6154974,7005,"2UPPER.exe","C:\Utils\Marsware","7BBEE826A9696F18ABA7A5DDC5F98557",45056,06/07/2005 0:00:00,12/30/1899 11:10:00,"EST",,,
6154991,7005,"32bit.zip","C:\Utils\Marsware","A2C9BFF89A48859E95B014106F0266BA",1319557,05/19/2003 0:00:00,12/30/1899 11:10:00,"EST","comment",05/19/2003 0:00:00,12/30/1899 11:10:00

The other file which hashkeeper needs is a file named: outputname_hke.txt.

This file has two lines in it. The format is:

"hashset_id","name","vendor","package","version","authenicated_flag","notable_flag","initials","num_of_files","description","date_loaded"
7005,"M00001 Maresware","Mares_co","Maresware",,1,0,"djm",0,"Maresware Software",4/21/2009 13:49:04

The only requirement here (other than name consistancey of outputname_hke.txt) is that the first field "hashset_id", be the same number as the --HASHSET_ID=nnnn when running the program. So you will need to edit this text file for each different hashset that is created. In this case, it is 7005.

One other note of import. There are 10 commas in the record.


Top

OPTIONS

Usage: HK_HASH    -[options]

To be compatable with hashkeeper input requirments, the minimum option is the --HASHSET_ID=nnnn option.

-p + path(s):  If more than one directory is needed to be looked at, then add the paths here as appropriate. (-p c:\windows    d:\work) Default is to recurse into the current path. If you are at root, the entire drive is done.

-f + filespec:  If more than one file type is needed, add them here. (-f   *.c   *.obj   *.dll). Default is to hash all files.

If these options are used, the program builds a matrix of paths and file types. It searches all the requested directories for all the requested file types. Thus giving a total of all the files in all the paths requested. These options are added to any default command line provided. (C:>HK_HASH c:\work\*.c -f *.dll -p d:\windows)

-oO + filename:  Output file name. Place the output to a filename. If uppercase O then existing output is appended to. To be consistant with the hashkeeper required input, the output name should be of a format: outputfilename_hsh.txt.

-C + "comment"
--comment="comment"
Add a "comment" into the comment field of the output record. See the output format above. Be careful not use include commas or quotes in this comment.

--HASHSET_ID=nnnn:  REQUIRED ITEM: Replace nnnn with proper hashset_id number. This ends up as the 2nd field of the output record. This value should match the hashset_id in the _hke.txt file. This value IS REQUIRED for hashkeeper to load the file.

--SEQUENCE=nnnnnnnnn:  Use this as the 1st field in the outpu record. It is often seen as a unique file numbering sequence. The value is used as the first field, and each record increments the value. It is not currently known how hashkeeper uses this item.

--FILEID=xxx:  Replace xxx with file set ID (usually numeric) as 1st field This does not increment and is superceded by --SEQUENCE=nnnnn

--CREATE_HKE   Create a _hke.txt file with the correct hashkeeper header format. This option uses the provided -o outputfilename_hsh.txt as mask for the outputfilename_hke.txt filename. It automatically generates the _hke.txt file with the correct lines of text in them. You can use this option instead of the redirection 2> name_hke.txt option mentioned below in the first command lines example. This is the preferred method of generating the _hke.txt file.

--REVERSE:  Reverse file date format to YYYY-MM-DD format. This is not hashkeeper compatable format.


Top

COMMAND LINES

Optimal command line
c:>HK_HASH -p c:\work\anyfolder -o files_hsh.txt --HASHSET_ID=1234    2> files_hke.txt
Do hash of files and produce compatable output and ADD the hke header file. This 2> is used to create the hke file which is used with the hashkeeper import option.
Optimal command line

c:>HK_HASH -p c:\ -o a:c_drive
Do hash of files for entire C: drive. This does not have the --HASHSET_ID value set and may not be hashkeeper compatable.

c:>HK_HASH -p c:\work -o files_hsh.txt --HASHSET_ID=1234 --comment="my files"
Do hash of files and produce compatable output.


Top