SOPIA Suite Help Files
Shift.py
Description
Shift is an acronym for "Simon's Hash Info Finder Tool". Shift is essentially a known-bad-hash finder script which contains a file full of known-hashes. The shift.py script scans a directory and hashes every file and produces their MD5 & SHA-1 hash. These hashes are then compared with hashes in the list of known-hashes. If they match, Shift will let you know in the results.
Dependancies
- python 2.7 installation
- Windows OS
How To Use
Before you run the shift.py script, look inside the shift folder. Inside the folder you should see two files:
- hashfile
- shift.py
Step 2:
If you open 'hashfile' you will see a list of MD5 hashes. You can add your own 'known-bad-hashes' in either MD5 or SHA-1 format. For this example, the MD5 hash on Line 8 will be hash of the file we're looking for. So save any changes you make to this file.
Step 3:
CD to where shift.py is located and run the script using python shift.py as shown in the screenshot below.
Step 4:
You will now be prompted to browse to where the hashfile is located. Browse to it, click on 'hashfile' and then click 'open'.
Step 5:
Shift now knows what hashes you are looking for. Now you need to browse to a directory to scan. Once you choose a directory, Shift will apply an MD5 hash to each file, then check each hash against the ones in the hashfile.
Step 6:
Once complete, Shift will tell you how many matches it found for both MD5 and SHA-1. The results will saved in the folder that shift.py resides in, named shiftOutput.txt.
Step 7:
You will be prompted to view shiftOutput.txt in the terminal, to save you navigating to the folder.
Step 8:
If you wish to manually view the file, browse to the folder where shift.py resides and you will now see a file called 'shiftOutput.txt'. Double-click this file to view it's contents.
Step 9:
Once open, you'll see the MD5 of the file that matches the MD5 in the hashfile. You will be able to see the file location which includes the file name at the end of the location.
About
Shift was developed as an open-source, lightweight tool to perform a quick and easy known-hash finder functionality which is missing in the likes of FTK & EnCase (without EnScripts). Shift reads files in 8192 bytes, as this is a multiple of 512 bytes, it makes for good performance for a buffer.
© 2014 Simon McCabe, SopiaSuite Help Files.