Home

Files can selected or skipped based on the value of their MD5 Hash.  To use this function, a file has to be selected with a list of MD5 entries. Useful files could be ones that list all standard hash values for files within an operating system.

A very useful web site for these files is

               http://www.nsrl.nist.gov/Downloads.htm#isos

On the structure of the files is an ASCII list of hash values, terminated by a CRLF - the file name is not actually relevant.  CnW software will test, and if need be sort the file before using it, it is therfore possible to append multiple files together.

To automate this procedure, the Hash Tables may be downloaded an saved for CnW use

There are two options that may be taken when a file is detected that matches a hash value within the file, it may either be copied, or skipped. By using a hash list of standard operating system files, only changed, or user files will be restored.  For a forensic investigation, this can save a consider amount of time.

It should be noted that CnW Recovery software works with MD5 hashes, rather than SHA-1. Although it could be argued that SHA-1 is more secure, for 99.999999999% of the time, it is not signficant. No known accidental clash to my knowledge has ever been detected.

MD5 Table structure

The MD5 file can be in two possible formats.  The program will analyse the data and hence select the correct format to use.  In each case, the table must be sorted with the lowest values stored at the start of the file.

• ASCII format.  In this mode the file is entirely ASCII, with each line being 32 characters, terminated by CRLF.  This is an easy format to generate from some published MD5 tables
• Binary format.  In this mode the data is straight binary, with each record being 16 (0x10) bytes long, and no record terminator.  The advantage of this record type is slightly faster running time, and a smaller file required of the hard drive.  The NSRL download function produces this style of table, which is less than 300MB in length (Jan 2011).