Computer Forensics Tools & Techniques Catalog

Forensic Tool Functionalities

Forensic Functionality:	Hash Analysis
Technical Parameters:	Tool host OS / runtime environment	Hash computation	Supported hash algorithms	Create and manage hashsets	Hash search- use of hashes or hash sets to identify files/objects of interest	Hash elimination- use of hash sets to filter out files/objects (e.g., "known good" or "known benign" files)	Hash de-duplication- use of hashes to eliminate identical files/objects
	Windows	hash files	MD5	support for creating and managing hashsets	search by hash supported	tool support for hash elimination	tool support for hash de-duplication
	Mac	hash archive file contents	SHA1	hashset management and creation not supported	search by hash unsupported	hash elimination unsupported	hash de-duplication unsupported
	Linux	hash e-mails	SHA2-256
		hash media (e.g., hard drive, thumb drive, partition)	SHA2-512
		hashing not supported	SHA3-256
			SHA3-512
			fuzzy hashing - ssdeep
			fuzzy hashing - PhotoDNA
			fuzzy hashing - other
			n/a (hashing not supported)