A DFIR Blog
The Xways manual states that you can import “a very simple and universal hash set text file, where the first line is simply the hash type (e.g. “MD5”) and all the following lines are simply the hash values as ASCII hex or (for SHA-1) in Base32 notation, one per line. Line break is 0x0D 0x0A” [1]. This allows you to check a suspect file against a hashset without exporting it and preforming a lookup.
It’s easiest to do this in Linux, we only need to install ClamAV to get sigtool. You could use freshclam to get the AV sigs, but I found this process cleaner:
sudo apt install clamav
mkdir sigs && cd
wget http://database.clamav.net/main.cvd
wget http://database.clamav.net/daily.cvd
sigtool --unpack main.cvd
sigtool --unpack daily.cvd
grep -Eo '[a-fA-F0-9]{32}' main.hdb >> ClamAVHashes.txt
grep -Eo '[a-fA-F0-9]{32}' daily.hdb >> ClamAVHashes.txt
OPTIONAL:
cp ClamAVHashes.txt /media/$USER/$USB/ClamAVHashes.txt
But, you could also use PowerShell:
sigtool.exe --unpack .\daily.cld
sigtool.exe --unpack .\main.cld
Select-String -Path .\daily.hdb -Pattern '^[a-f0-9]{32}' | ForEach-Object { $_.Matches } | % { $_.Values } | Out-File 'ClamAVHashes.txt'
Select-String -Path .\main.hdb -Pattern '^[a-f0-9]{32}' | ForEach-Object { $_.Matches } | % { $_.Values } | Out-File -Append 'ClamAVHashes.txt'
Here’s an example of my ClamAVHashes.hsh:
MD5
B10A8DB164E0754105B7A99BE72E3FE5
C76F0F3840E9EF0CC2C896B16EE81FC0
See [Hashing in X-Ways Forensics on SALT4N6’s site](salt4n6.com/2018/05/07/hashing-in-x-ways-forensics/