forensic-hashdb
Bucket any file by its hash in one lookup — known-good and safe to ignore, known-bad, or a known-vulnerable driver — whether the bytes came from a memory dump or a disk image.
A hash match is source-agnostic. forensic-hashdb is the one place the fleet answers "have I seen this hash before?" — four databases behind a &[u8; 32] (or hex) key, tuned for triage: exclude the noise, flag the threats.
Four databases
use KnownGoodDb;
use lol_drivers;
// Exclude the noise: NSRL/CIRCL known-legitimate files (zero false positives).
let nsrl = open?;
if nsrl.is_known_good
// Flag a BYOVD driver by hash (embedded, no file to ship).
if is_vulnerable_driver
# Ok::
| Database | Answers | Backing |
|---|---|---|
known_good |
"legitimate OS/app file I can exclude?" — NSRL / CIRCL | mmap, sorted 32-byte records, binary search (scales to full NSRL) |
known_bad |
"known malware?" — provenance-tracked (MalwareBazaar, VirusShare, …) | HashMap, full BadFileInfo on hit |
lol_drivers |
"known-vulnerable driver (BYOVD)?" — loldrivers.io | embedded at compile time, CVE-tagged |
feed |
"in my IOC list?" — analyst-supplied MD5/SHA1/SHA256, loaded from text/CSV | in-memory, per-algorithm |
Analyst feeds
Load an arbitrary hash list at runtime — one hash per line, # comments, first CSV field, algorithm auto-detected by length:
use HashFeed;
let mut feed = new;
feed.load_bad_from_file?;
if let Some = feed.lookup_bad
# Ok::
Trust but verify
- Zero false positives on
known_good— exact binary search, no probabilistic structure, safe for forensic exclusion. - Panic-free.
unsafe_code = deny(one boundedmmapsite, justified); nounwrap/expectin production; bounded reads. - Fuzzed — the binary DB reader and the feed loader take arbitrary bytes with no panic.
- 100% line coverage.
Used across the fleet by both the memory-triage path and the disk/scan path — one hash-lookup capability, not two.
Privacy Policy · Terms of Service · © 2026 Security Ronin Ltd