forensic-hashdb 0.2.0

File hash databases for digital forensics — NSRL/CIRCL known-good, malware known-bad, known-vulnerable Windows drivers (loldrivers), and analyst-supplied MD5/SHA1/SHA256 feeds.
Documentation

forensic-hashdb

Crates.io docs.rs Rust 1.75+ License: Apache-2.0 Sponsor

CI Coverage Security audit

Bucket any file by its hash in one lookup — known-good and safe to ignore, known-bad, or a known-vulnerable driver — whether the bytes came from a memory dump or a disk image.

A hash match is source-agnostic. forensic-hashdb is the one place the fleet answers "have I seen this hash before?" — four databases behind a &[u8; 32] (or hex) key, tuned for triage: exclude the noise, flag the threats.

Four databases

use forensic_hashdb::known_good::KnownGoodDb;
use forensic_hashdb::lol_drivers;

// Exclude the noise: NSRL/CIRCL known-legitimate files (zero false positives).
let nsrl = KnownGoodDb::open("nsrl.bin".as_ref())?;
if nsrl.is_known_good(&sha256) {
    return; // an OS/app file — skip it, don't clutter the timeline
}

// Flag a BYOVD driver by hash (embedded, no file to ship).
if lol_drivers::is_vulnerable_driver(&sha256) {
    // known-vulnerable Windows driver (loldrivers.io)
}
# Ok::<(), forensic_hashdb::known_good::KnownGoodError>(())
Database Answers Backing
known_good "legitimate OS/app file I can exclude?" — NSRL / CIRCL mmap, sorted 32-byte records, binary search (scales to full NSRL)
known_bad "known malware?" — provenance-tracked (MalwareBazaar, VirusShare, …) HashMap, full BadFileInfo on hit
lol_drivers "known-vulnerable driver (BYOVD)?" — loldrivers.io embedded at compile time, CVE-tagged
feed "in my IOC list?" — analyst-supplied MD5/SHA1/SHA256, loaded from text/CSV in-memory, per-algorithm

Analyst feeds

Load an arbitrary hash list at runtime — one hash per line, # comments, first CSV field, algorithm auto-detected by length:

use forensic_hashdb::feed::HashFeed;

let mut feed = HashFeed::new("threatfox");
feed.load_bad_from_file("iocs.csv".as_ref())?;
if let Some(m) = feed.lookup_bad(&hex_hash) {
    // m.algorithm, m.source — provenance for the report
}
# Ok::<(), forensic_hashdb::feed::FeedError>(())

Trust but verify

  • Zero false positives on known_good — exact binary search, no probabilistic structure, safe for forensic exclusion.
  • Panic-free. unsafe_code = deny (one bounded mmap site, justified); no unwrap/expect in production; bounded reads.
  • Fuzzed — the binary DB reader and the feed loader take arbitrary bytes with no panic.
  • 100% line coverage.

Used across the fleet by both the memory-triage path and the disk/scan path — one hash-lookup capability, not two.


Privacy Policy · Terms of Service · © 2026 Security Ronin Ltd