Calculating hash values

Evidence sources can contain thousands of files, including known files that are critical to an investigation and common files that are not relevant. Searching through and categorizing each file can be a very time consuming task.

By calculating hash values for all files and importing hash sets of known files, AXIOM Process automatically searches and categorizes evidence for you. AXIOM Process remembers your previous selections the next time you create a new case or add evidence to an existing case.

Calculate hash values for all files

During a search, AXIOM Process can calculate unique hash values for each file. In AXIOM Examine, you can then quickly search for, compare, or filter those files based on known hash sets (for example, NSRL hash sets).

Calculating hash values slows down processing times. By default, files larger than 500 MB will not be hashed though you can customize the file size limit for hashing.

  1. In AXIOM Process, click Processing details > Calculate hash values.
  2. In Calculate hash values for all files, select the Calculate hash values for all files option.
  3. Continue setting up your case.

Import hash lists for known files

If you want to quickly see if known files exist in your evidence, you can import a list of hash values for files that might be of interest to your case.

Hash lists must be .txt files containing MD5 or SHA1 hashes (such as NSRL files), with each hash on a separate line. After you add a hash list, you can provide a tag that gets applied to the files. You can view the matching files in the File system explorer in AXIOM Examine.

  1. In AXIOM Process, click Processing details > Calculate hash values.
  2. In Tag files with matching hash values, click Add file.
  3. Browse to the location where you saved the hash list and click Open.
  4. If applicable, clear the Enabled option next to any previously imported hash list files that you don't want to use for this search.
  5. In the Tag field, provide a name for the tag.
  6. Continue setting up your case.

Ignore non-relevant files in a search

If you don’t want common operating system files like icons, wallpapers, system files, and so on to clutter up your evidence, you can exclude them by providing their hash values in a hash set. Ignoring non-relevant files is subject to the specified size limit for hash files.

Hash lists must be .txt files containing MD5 hashes (such as NSRL files), with each hash declared on its own line. Even though the files are excluded from the Artifacts explorer, you can still view the files and the tag that is applied to them in the File system explorer.

  1. In AXIOM Process, click Processing details > Calculate hash values.
  2. In Ignore non-relevant files, click Add file.
  3. Browse to the location where you saved the hash sets, and then click Open.
  4. If applicable, clear the Enabled option next to any previously imported hash sets that you don't want to use for this search.
  5. Continue setting up your case.