Question
How do I import custom hash sets to create a custom KFF group?
Answer
Prerequisites:
- A text file containing a list of the desired hashes, saved as a *.csv or *.tsv. This can be created manually or by using "Export File List Info" in FTK, including only the desired hash column in your list (e.g. MD5 or SHA1).
Note: You must include the hash type (MD5 or SHA1) as the first line in the file.
Example:
MD5
16C3A5060A5D7D2FD6C1D647B40442DC
16C3A5060A5D7D2FD6C1D647B40442DD
16C3A5060A5D7D2FD6C1D647B40442DE
[Leave an empty line (hard return) after the last hash]
OR
- A HashKeeper (*.hke) file
Procedure:
- In FTK go to Manage > KFF and click "Import"
- Click "Add File"
- Select the Status for your custom hash set
- Browse to the file with your custom hash set (*.csv, *.tsv, *.hke)
- Give the hash set a name
- Specify a Source Vendor name, Version, and Package name
- Click "OK", then click "Import"
- Back in the KFF Admin dialog, under Defined Groups click "New"
- Give the group a name
- Select a "Status Override" (set to "None" to use the original sets' statuses)
- Highlight your new KFF set in the Available Groups/Hash Sets list and add it to your new group by clicking <<, then click "OK"
Overview
These steps will help you import a custom KFF hash set and create your own KFF group in FTK.