4 Replies Latest reply on Nov 8, 2011 1:12 PM by SteveBunting

    Need guidance to create a db with two tables to compare hash values in each table

    SteveBunting

      Title

      Need guidance to create a db with two tables to compare hash values in each table

      Post

      I have an ongoing need to compare file hashes.  Usually I have a list of known bad hashes and another list of questioned hashes.  The questioned hashes need to be queried against the table of bad hashes and a field in the table of questioned hashes needs to be populated with the results, as in yes there's a matching hash or no there is not.  

      I've been doing this in Excel, but once the sets get large, Excel becomes rather cumbersome as it is not a database!  

      It's reallly a pretty simple thing, only I'm more familiar with forensics than I am configuring databases with FM ;->

      Suggestions anyone

       

      Thanks

       

      Steve Bunting

      +1.302.260.2633

        • 1. Re: Need guidance to create a db with two tables to compare hash values in each table
          philmodjunk

          With two tables: QuestionedHashes and BadHashes, you can define this relationship in Manage | Database | relationship:

          QuestionedHashes::HashField =  BadHashes::HashField

          On a layout based on QuestionedHashes, you can display the data in list or table view and then add the HashField from The Badhashes table to this same layout or table view.

          If you then:

          Enter Find Mode

          Enter an asterisk * into the BadHashes::HashField

          Perform the find

          You'll pull up a list of all records in QuestionedHashes that have a matching record in BadHashes.

          This method can also be scripted

          At this point there really doesn't seem to be a need for a field in QuestionedHashes to identify which have a bad hash code as you can see what records have a match by whether or not the BadHashes::HashField field is empty or not, but you can at this point use Replace Field Contents to load a field in all the records you have found with a value that "marks" them as having a matching record.

          Depending on what you need to do and how you get your data into the QuestionedHashes and BadHashes tables, there may be other methods you can implement that automatically enter data into such a field for you.

          • 2. Re: Need guidance to create a db with two tables to compare hash values in each table
            SteveBunting

            Phil,

            This works perfectlly - Thanks.....

            I'm trying to make double duty on this database as I often have to go in the other direction.  To make this clear, I named my tables Questioned Hashes and Known Hashes, with that corresponding to Questioned Hashes and Bad Hashes above.  Sometimes we have to work with known good hashes and eliminate in the questioned set the good or matching hashes, leaving behind in the found set, those not found in the known set, which then become suspect.  

            In essence, then, my find is not for * but rather for null records in the field KnownHashes::HashField (BadHashes::HashField) as listed above.  I should be able to use = in the find mode to locate null or empty records.  i clearly have empty records and wish to display only those, but = returns "No records match this set of find requests".  

            And so * returns only records with data in this field, but the opposite is not working .....

            Thoughts on this one?????

            Steve

            • 3. Re: Need guidance to create a db with two tables to compare hash values in each table
              philmodjunk

              Use the *, but then specify the Omit option so that you find all records that do not have a related record. (= only works on fields local to the layout's table.)

              In a script you can use the Omit record step while in find mode  to create an "omit" request.