How to create hashset databases with Belkasoft X

Introduction

Hashset analysis is a big time-saver in both criminal and cybersecurity investigations. Whether you want to find illicit images without browsing through them or quickly detect known malicious files—this intelligent tool can help you handle the job.

While publicly available hashset databases like National Software Reference Library (NSRL) and ProjectVic help streamline your searches, creating your own hashset databases can aid in cross-checking multiple cases and sharing your experience with fellow investigators or digital forensics and cyber incident response (DFIR) community.

In this article, you will learn how to create a hashset database with Belkasoft X, a DFIR tool that incorporates hashset analysis and other features that expedite the work of digital investigators.

Creating a hashset database

1. Calculate hash values for a data source.
   You can run a hash calculation during the initial data source analysis or perform this task after adding the data source to your case.
   For a new data source:
   
   • Launch Belkasoft X, create a case, and add a new data source from the "Create case" window or the Actions menu on the case dashboard.
   • After choosing the data source, navigate to the Hashes tab.
     

     

   • Select the algorithms for calculating hashes of the files. For custom hashset databases, we recommend to always include SHA256 as it is less prone to collisions, which helps to avoid false positive results when running hashset analysis.
   • The Ignore files larger than checkbox is activated by default, with a limit of 200 Mb. This setting speeds up the hash calculation by ignoring huge files (for example, video files) that have a minimal probability of matching a hashset.

   For an existing data source:

   • From the main menu, select File System.
   • Right-click your data source, and select Run hashset analysis in the opened context menu:

     

2. Select items for your database.

   After Belkasoft X completes the hash calculation, use one of the following options to select the items whose hashes you want to include in your database:

   • The most straightforward way is to do it in the Grid view of the "Artifacts" window. Select the checkboxes of the items, right-click them, and select Create report for checked items:
     

     

   • Another way is to export the data of all items of a profile node. Right-click on a node and select Create report for checked profiles context menu item:
     

     

   • Lastly, you can bookmark the items you want to export and assign them to categories. When you finish creating the categories, you can export all items under categories into reports from the Bookmarks window:
     

     

3. Select the database format.

   Belkasoft X can export hashsets in various formats:

   • Text and CSV are plain text formats that can work for internal use and sharing
   • VICS 1.3 and 2.0 are the standard formats of the Project Vic database specialized in child abuse materials; you can use them to contribute to global databases or for internal use and sharing as many DFIR tools support these formats
   • Semantics 21 (S21) can be used when working in the combined BelkaS21 software bundle or for importing into third-party tools like Amped FIVE.

     

4. Configure export options.

   If you select the Text or CSV format, you need to adjust their output options to have one hash per line:

   • In the "Create report" window, click Advanced options.
   • Select the Columns tab and clear the Selected columns pane using the << button.
   • In the Available columns pane, select the hash property you want to include in the hashset and use the > button to select it for the report.

     

5. Review the output hashset.

   After you make the necessary setting, Belkasoft X creates a report with just one column. A CSV file will look as follows:

   

   For the text format, the resulting hashset file may look similar to the following:

   

Conclusion

Integrating custom hashset databases into a digital examiner's toolkit offers a significant advantage by expediting investigations and helping to uncover interconnections among cases. With Belkasoft X's capabilities, investigators can easily calculate hash values for files and seamlessly export them into a range of hashset database formats, enhancing the efficiency of their investigative processes.

Did you like the article?

See also

• Ins and Outs of Hashing and Hashset Analysis in Belkasoft X
• BelkaS21: Your combined solution for media file forensics
• 5 bloopers of a digital forensic investigator