Oftentimes in forensics investigations you will have to analyze systems containing many files. While some of the files may be important to your investigation, many of them will be system (or other) files that you can safely ignore. File filtering is a technique where you filter out such files so that you don’t waste time analyzing unnecessary files. Filtering is normally done by computing the hash of your files and comparing them to a hashset of known files.

Note: You can have both “good” and “bad” hashsets. A “good” hashset may contain hashes of Windows XP system files, while a “bad” hashset may contain files commonly associated with keyloggers and rootkits. Using a “bad” hashset you may be able to quickly identify if a system contains malicious files.

The most extensive hashset available is the NIST National Software Reference Library (NSRL). However, in this tutorial we will utilize other hashsets which are available for the free edition of the tool OSForensics. We do this because these hashsets are formatted to be used with OSForensics while the NIST NSRL is not and converting it to a format that OSForensics understands is beyond the scope of this tutorial.


By Moshe Caplan

The "NIST Hacking Case" is a great publicly available Forensics challenge to work on. To complete it NIST provides a dd image of a disk, split into eight parts. Combine the parts and determine how many files from the image are present in the three OSForensics hashsets specified below: 

1. Windows XP Professional SP3 (32-bit) 

2. Office 2007 Enterprise (Vista) 

3. Keyloggers (Various) 

The "NIST Hacking Case" is available here: https://sites.google.com/a/isis.poly.edu/cyfor/modules/nist-hacking-case 

After completing this challenge I strongly encourage you to work your way through the entire "NIST Hacking Case." 




  1. Windows XP Professional SP3 (32-bit): 3873/11409 
  2. Office 2007 Enterprise (Vista): 108/11409 
  3. Keyloggers (Various): 132/11409

Further information on this module can be found at the following links.


You must Sign-In to post a comment.