Search using Fuzzy hashing
1. What is Fuzzy hashing?
1. Set the Fuzzy hash value
1. Search using Fuzzy hash syntax
1. Import and export Fuzzy hash lists

Search using Fuzzy hashing

This section covers:

What is Fuzzy hashing?

How to set the Fuzzy hash value

How to search using Fuzzy hash syntax

How to import and export Fuzzy hash lists

What is Fuzzy hashing?

Fuzzy hashing in Nuix Workstation uses the SSdeep program to generate a hash value of a file. You can then use this hash value to search and identify files that are similar to the original hashed file, and indicate their similarity as a percentage.

Typically, investigators process their case evidence to generate an MD5 hash of each item. The MD5 hash is then used to verify that the item was not modified and to identify files that are exactly the same. When comparing the hash values of two files the outcome is either a match or no match. This only indicates that the file is not an exact match. Changing one byte of the file can cause this. By generating a fuzzy hash for items, you can identify items that have similar binary content. This is useful when identifying malware and the family it may belong to when code is modified so unresponsive to traditional anti-virus scans. You can select from the following digests to compute your files:

MD-5 SHA-1 SHA-256

SSDeep

Set the Fuzzy hash value

To set the Fuzzy hash value in the Evidence Processing settings, under Data Processing Settings in the Digest Settings group, select the SSDeep option. Once the case has finished processing, identify the Fuzzy hash of an item from the Nuix-defined Metadata list in the Metadata tab under the Preview pane.

Search using Fuzzy hash syntax

You can also use the following Fuzzy hash syntax on the search bar:

Fuzzy Hash Syntax	Action
fuzzy-hash:value	Enter a fuzzy hash value to identify an exact match.
fuzzy-hash:value;score	Enter a fuzzy hash value and minimum threshold score to match against.
fuzzy-hash-list:name	Enter the fuzzy hash list name to identify all files that exactly match the hashes.
fuzzy-hash-list:name;score	Enter the fuzzy hash list name and minimum threshold score to exactly match against.

Import and export Fuzzy hash lists

To import a Fuzzy hash list, go to Global Options and select the Fuzzy Hash Lists option.

To export a Fuzzy hash list from a group of selected items, right-click them from the Results pane and select Export, then Export Fuzzy Hash List.

Once you have imported or exported a Fuzzy hash list into a list, you can then use the filtering pane to identify similar items based on a Fuzzy hash scoring.

Expanding the Fuzzy Hash list filter updates the responsive count in the case, and breaks down the overall count scoring each item in the list with a threshold as follows:

High: For items that are 70-99 percent similar to an item in the list.

Medium: For items that are 40-69 percent similar to an item in the list.

Low: For items that are 1-39 percent similar to an item in the list.