File Hash Filter

<< Click to Display Table of Contents >>

Navigation:  CloudNine Explore > Using CloudNine Explore > Case Dashboard > Filtering > Case Filters >

File Hash Filter

The File Hash filter allows you to specify files to be filtered from a case based on the hash value of each file. Files are filtered when matching either of the following conditions:  

The file is identified in the NIST Items filter.

The file matches a custom file hash value, as specified by using the Custom File Hash Items filter.

Before case files can be filtered by the NIST Items filter, a NIST database must be downloaded to the same machine where CloudNine™ Explore is installed, and a NIST database must be attached to a case in CloudNine™ Explore. If a NIST database has not been downloaded and attached to a case, a warning icon is displayed in the NIST items row next to Edit.  For more information about downloading and attaching a NIST database, see NIST Configuration.

Before case files can be filtered by the Custom File Hash Items filter, the custom file hash value list must be created for or imported into the case. Once a custom file hash value list has been created for a case, it can be exported to a .lst file and imported into other cases. For more information about working with custom file hash value lists including creating, importing and exporting them, see the sections below.

 

Configuring File Hash Filtering

1.Click the Case Manager tab.

2.Double-click a case.

3.Click the Filters tab.

4.Select File Hash Filter from the drop-down if it is not already visible. By default, the Inc. check boxes for the NIST Items and Custom File Hash Items filters are selected.

5.Select the Inc. check box to allow NIST items to be included in the filter results, or select the Exc. check box to exclude NIST items from the filter results.

6.Select the Inc. check box to allow Custom File Hash Items to be included in the filter results, or select the Exc. check box to exclude Custom File Hash Items from the filter results.

7.Optionally, if your case has files that will be impacted by the NIST Items or Custom File Hash Items filters, you can click on that row in the left hand pane to view the files associated with the filter in the center panel.

Note

If a NIST database is not attached to the case, then the NIST Items filter will not function.

If a custom file hash value list has not been created or imported into the case, the Custom File Hash Items filter will not function.

 

Running the DeNIST Process

If you have a NIST database configured in your environment, and you have selected Inc. for NIST Items, you can initiate a DeNIST process.

1.Click Run next to NIST Items.  

2.A Run DeNIST confirmation prompt displays.  Select Yes.  

3.A DeNIST Started confirmation message will display and the DeNIST will run as soon as possible.  Click OK to close the confirmation.

 

Managing Custom File Hash Lists

You can create a custom file hash value list by doing either of the following:

Import SHA-1 hash values from a folder directory.

Import an existing list file.

After a custom file hash value list is created for a case, the list can be exported from the case to a new list file. These list files carry the .lst file extension. The exported list file can be imported into other cases. If a list is modified after files are imported into a case, the hash values in the list can be refreshed by using the Re-identify hash matches feature.

 

Creating a Custom File Hash

When you create a new custom file hash value list for a case, you can import SHA-1 hash values from one or more folder directories and their sub-directories that contain the file types you want to include in the list. If you import more than one folder directory into the list, and there are duplicate hash values, the import will automatically ignore any duplicate values.

1.Click the Case Manager tab.

2.Double-click a case.

3.Click the Filters tab.

4.Select File Hash Filter from the drop-down if it is not already visible.

5.Click the Edit link next to the Custom File Hash Items filter.  The Manage Custom Hash Filter dialog opens.

ManageCustomHashFilter

6.Keep the default Import custom hashes selected in the Select Action list and the From folder option selected.

7.Click the ellipsis button.  The Browse for Folder dialog opens.

8.Browse to and select the folder containing items to include in the custom hash filter as excluded items.

Important

When importing hash items from a folder, make sure the path to folder does not exceed Microsoft Windows path limitations. If the path exceeds the Microsoft Windows path limitations, the hash values in the folder will not be imported into CloudNine™ Explore.

9.Click OK.  The Browse for Folder dialog box closes and adds the selected folder to the Manage Custom Hash Filter dialog.

10.Click the Start button.  The Generate Hashes From Folder dialog displays to confirm you want to generate file hashes from the contents of the folder specified.

11.Click Yes.  The import starts.  The hash values for all the file types specified in the folder and it's sub-folders are imported into the case's custom file hash list. When the import is completed, the total number of hash values and other import statistics are displayed in the Manage Custom Hash Filter dialog.  You can Close this dialog to return to the Case Manager Filters tab.

 

Importing a Custom File Hash List

An existing custom file hash value list can be imported into a case to become the case's custom file hash value list, or to add additional hash values to the case's existing custom file hash value list. If the imported custom file hash value list contains duplicate SHA-1 hash values, the duplicate values will be ignored. When you import custom file hash value lists into a case, the hash values are appended to the case's existing list, the imported list does not overwrite the case's existing list.

1.Click the Case Manager tab.

2.Double-click a case.

3.Click the Filters tab.

4.Select File Hash Filter from the drop-down if it is not already visible.

5.Click the Edit link next to the Custom File Hash Items filter.  The Manage Custom Hash Filter dialog opens.

6.Keep the default Import custom hashes selected.  Click the From existing hash file option.

7.Click the ellipsis button.  The Select Hash List File dialog opens.

8.Browse to and select the custom file hash value .lst file you want to import into the case.

9.Click Open.  The Select Hash File List dialog closes and adds the selected file to the Manage Custom Hash Filter dialog.

10.Click the Start button.  The Generate Hashes From Folder dialog displays to confirm you want to generate file hashes from the contents of the specified file.

11.Click Yes.  The import starts.  The hash values from the .lst file are imported into the case's custom list.  When the import is completed, the total number of hash values and other import statistics are displayed in the Manage Custom Hash Filter dialog.  You can Close this dialog to return to the Case Manager Filters tab.

 

Exporting a Custom File Hash List

A case's custom file hash list can be exported for editing and/or to be used in other cases. When you export a case's custom file hash list, the list is saved to a .lst file. The .lst file can be manually edited using a text file editor.

1.Click the Case Manager tab.

2.Double-click a case.

3.Click the Filters tab.

4.Select File Hash Filter from the drop-down if it is not already visible.

5.Click the Edit link next to the Custom File Hash Items filter.  The Manage Custom Hash Filter dialog opens.

6.In Select Action, choose Export custom hashes.

7.Click the ellipsis button next to the Destination File field. The Export Custom Hash List dialog opens.

8.Browse to the folder where you want to save the custom file hash list, and then click Save.

9.The Export Custom Hash List dialog closes and adds the folder to the Manage Custom Hash Filter dialog.

10.Click the Start button.  The custom file has list is exported to a .lst file in the specified folder.  When the export is completed a success message is displayed in the Manage Custom Hash Filter dialog.

 

Refreshing Custom File Hash Filter Results

If the custom hash value list for a case has been modified after the case files have been imported and analyzed, or all the custom hash values have been deleted from the case, you will need to refresh the filter results.

1.Click the Case Manager tab.

2.Double-click a case.

3.Click the Filters tab.

4.Select File Hash Filter from the drop-down if it is not already visible.

5.Click the Edit link next to the Custom File Hash Items filter.  The Manage Custom Hash Filter dialog opens.

6.In Select Action, choose Re-identify hash matches.

7.Click the Start button.  A confirmation dialog displays.

8.Click Yes.  The Custom File Hash Items filter results for the case are refreshed. When the refresh is completed, a success message is displayed and the number of files in the case matching a value in the case's custom file hash value list is displayed in the Manage Custom Hash Filter dialog.

 

Deleting all Custom Hash Values

You can delete all hash values in the case's custom file hash value list at one time.

1.Click the Case Manager tab.

2.Double-click a case.

3.Click the Filters tab.

4.Select File Hash Filter from the drop-down if it is not already visible.

5.Click the Edit link next to the Custom File Hash Items filter.  The Manage Custom Hash Filter dialog opens.

6.In Select Action list, select Clear all custom hash values.  If there are no custom hash values added to the case, the Start button is disabled.

7.Click the Start button.  A confirmation dialog displays.

8.Click Yes.  All custom hash values are deleted from the case's custom file has value list.  When the delete is completed a success message is displayed in the Manage Custom Hash Filter dialog.

9.Refresh the Custom File Hash Filter Results.

Important

If you only want to delete specific hash values, you will need to export the case's custom file hash value list, edit the exported .lst file in a text editor, use the Clear all custom hash values feature to remove all custom hash values from the case, and then import the edited custom file hash value list back into the case.