The known, safe and trusted hash sets from over 100 Mac OS X, macOS, and Microsoft Windows operating system versions have been updated in the new release of BlackLight. The known hash sets in the latest version have been updated to utilize hashes from hashsets.com.
With BlackLight 2017 R1 you’ll be able to filter out known system files quicker and more efficiently. This improved file elimination and validation means all safe, trusted, known-good, and non-threatening hash values, gathered on Mac OS X and Microsoft Windows operating systems since 2003 by hashsets.com, are available to you in your forensic examinations.
The trusted hash sets from hashsets.com
Incorporating the hash sets from hashsets.com was an obvious evolution of BlackLight for us. The numbers within this well-known and used hash set speak for themselves. For example, there are over 5.5 million unique files hashed in these Microsoft Windows operating systems alone:
- Microsoft Windows Vista Ultimate (64 bit) – 1,824,166 unique files hashed
- Microsoft Windows 7 Ultimate (32 bit) – 1,110,329 unique files hashed
- Microsoft Windows 7 Enterprise (32 bit) – 1,093,106 unique files hashed
- Microsoft Windows 10 Home (32 bit) – 737,868 unique files hashed
- Microsoft Windows 7 Ultimate (64 bit) – 743,421 unique files hashed
The top 3 most hashed OS X and Macintosh operating systems, include:
- Mac OS X 10.11 – 522,111 unique files hashed
- Mac OS X 10.12 – 484,976 unique files hashed
- Mac OS X 10.10 – 474,5156 unique files hashed
File hashing behavior in BlackLight 2017 R1
This means as a user of BlackLight you need to be aware that the hashing process in this version has changed. In the latest version of BlackLight and in line with industry processes for forked files only, a file’s data fork will be hashed. If the data fork doesn’t exist then the resource fork will be hashed. Furthermore, a combined hash will no longer be calculated.
Given this file hashing behavior change, hash sets created in BlackLight 2016 R3.1 and prior versions will no longer work for Hierarchical File System Plus (HFS+) files that have both a data fork and a resource fork. The reason being is these hash sets recorded the combined hash for hash comparison, which will no longer be available for comparison in BlackLight 2017 R1. A user should note, however, that older hash sets will still work in the latest version with HFS+ files that only have a data fork. Additionally, hash sets created from files on non-HFS+ file systems will continue to work as expected.
Not using BlackLight yet? Find out more about this smart, comprehensive and trusted analysis software by contacting a member of the BlackBag Sales Team.
To upgrade to the latest version of BlackLight 2017 on release, please contact the BlackBag Sales Team.