An MD5 hash value is a simple text string that serves as digital 'signatures' of files. Click here for more information regarding file hash values.


There are certain use cases where you might need to search your entire case for a file hash or a collection of file hashes. Most commonly, this is done to compare the files in "Case A" to "Case B" to see if any appear in both (since de-dupe does not span multiple cases).


To begin this process, you first need to collect the file hash(es) you are wanting to search for. For a guide on downloading all file hashes within a case, click here. Once you have the file hash(es) you would like to search for, proceed to Step 1 of this guide.


Step 1: Navigate to the "Advanced Search" page by clicking the puzzle piece icon on the left side of the screen.


Advanced search icon on left navigation bar.



Step 2: Create a New Search by clicking the "Create New Search" button either along the top, or in the middle of your screen (both will navigate to the same screen). 


Highlighting create new search buttons.


Step 3: Select "Hash" from the criteria drop-down menu.


Highlighting "hash" in drop-down menu



Step 4: Select "IS ANY OF" from the drop-down menu. This will provide both a single search value option, along with a bulk edit option.


Highlighting "IS ANY OF" option



Step 5: Select "Bulk edit values" on the right-hand side of the search. If you need to search for a single hash value, you can select the "Add value" option instead.


Highlighting "bulk edit values" option.

Step 6: Paste your file hashes in the provided text box, one per line. For more information on downloading file hashes, click here. To run deduplication on these file hash values before conducting your search, please follow the instructions found here. After entering your file hashes, click "Save".


Bulk file hash values pasted into search box.


Step 7: Click the "Play" button to execute the search. Depending on the number of file hashes within this search, it may take a minute to load. Once the search is executed, it will display any document(s) that match the file hashes provided.


Play button highlighted in advanced search function.