December 12th, 2008 by ahoogHashkeeper is a database of known good and known bad files which can significantly reduce the number of files an analyst needs to investigate. It was started by the National Drug Intelligence Center in 1998 and still maintained there. However, the primary audience is law enforcement and anyone else must file a Freedom of Information Act request to NDIC.
Hashkeeper and NSRL
While Hashkeeper is similar to the NSRL (National Software Reference Library), each has it’s own purpose. NSRL’s focus is on providing a data set that is traceable to the original installation media while Hashkeeper’s files are less rigorously traced and are submitted from various law enforcement agencies.
Additional information (from NDIC’s website)
“HashKeeper is an application created in 1998 to assist computer forensic examinations by reducing the number of files to be analyzed during the course of an investigation. HashKeeper works by storing MD5 hash values or “digital fingerprints” of common software applications and compares those hash values against the files encountered in a seized system. Files encountered in the seized system that match those in the HashKeeper database do not need to be examined. HashKeeper eliminates the need for an examiner to review files created during software installation and leaves behind primarily, user created files. In most instances, HashKeeper decreases the number of files that need to be examined by 50%.
HashKeeper is available free of charge, and thousands of this application have been distributed to appropriate law enforcement and intelligence agencies worldwide.”
Hashkeeper and NSRL have different goals and different users, and can’t be compared as above. The sets compliment each other and when possible should both be applied.
Doug,
Thanks for the suggestions…definition has been updated accordingly. For reference, an entry for NSRL is now available at:
http://chicago-ediscovery.com/computer-forensic-ediscovery-glossary/what-is-nsrl.html