Keylogger Hash use?
I just found the product and WOW, I love this program!!
I am testing things out and I saw the Hash sets, and the one that has the keyloggers in it.
How do I mount a drive and then check it for keyloggers with this hash set?
I have the drive mounted, and I have the Hash set made active, but that is it. I am not sure how you scan the mounted drive for keyloggers?
Thanks for any help!!
You can look up a file in a hash set from, for example, the "File name search" function. You need to do a search first, but you can search for * for find all files.
Right click on a file, or multiple files, and select lookup in hash set from the right click menu.
For others reading this post, you can set the current hash set from the "Hash sets" window. You can download some example hashsets from this page,
There are some example screen shots.
Right click to check if multiple selected files are in current hash set
Checking files to see if they are in the hash set
Sort search results to group matches
Check single file to see all matches for that file
I am currently evaluating the Beta version of OSForensic and so far im impressed. I have the following queries:
1. Is there a simpler way to distinguish between the grey and good hashsets results after hashing?
2. The suspect machine i am using for testing has Symatic Endpoint Security Installed, and thus many files in the Quarantine. How comes OSF cannot hash files in the quarantine?
1) The latest beta has actually changed a bit from the screen shots above. There is now an icon that appears if the file is in the hash set. Not sure if this is what you were really asking about however? Can you give an example.
2) Are you doing this on a live machine, or on a disk image. Maybe Symantec is blocking access to the files if this is on a live machine. I am also not sure how files are stored when they are in quarantine. Can you browse them with explorer? Maybe they are renamed, or even encrypted and thus only view-able is Symantec's product?