RE: [sleuthkit-users] Good vs. Bad Hashes
Brought to you by:
carrier
Menu
▾
▴
RE: [sleuthkit-users] Good vs. Bad Hashes
|
From: McMillon, M. <Mat...@qw...> - 2004-01-21 19:40:27
|
Just some random thoughts on hashes: I think managing a collection of baseline OS and application hashes would be pretty straight forward as long as you limited scope vendor "gold master" releases. Version skew from subsequent patches may cause some issues, but this would allow you to load the hash sets for the OS you are examining and quickly identify what is off of the baseline, which is pretty much what NSRL is designed for but with a much broader brush. =20 However, I am beginning to wonder how effective hash sets of "known-bad" are going to be moving into the future--I think they have shown some benefit to LEA and others investigating child porn, malware, etc. but as the perps get wise to this technique, you'll probably start seeing more things like polymorphic archives, encrypted executables, and other files types that may change based on context or just randomly when accessed. Manually modifying files with a hex editor would be a simple way to change the sums of any file--which is much more of a current reality. We've seen this somewhat in the anti-virus industry which makes me wonder how some sort of heuristics system may be more effective for this area. =20 The other big issue is categorizing the large number of hashes, I think the reference data set of NSRL is 17.9 million hashes. Manually categorizing them would not be possible--would have to look closer at the NSRL "schema" to see if an automated process could be developed once categories were determined. Matt -----Original Message----- From: sle...@li... [mailto:sle...@li...] On Behalf Of Brian Carrier Sent: Wednesday, January 21, 2004 11:15 AM To: sle...@li... Cc: sle...@li... Subject: [sleuthkit-users] Good vs. Bad Hashes Is anyone interested in looking into the best way to manage hashes? The=20 definition of "good" versus "bad" is relative to the current=20 investigation and I don't know the best way to handle this in The=20 Sleuth Kit and Autopsy. There could be a single database with=20 categories of hashes and you choose which are good and which are bad=20 for that investigation (similar to the new Forensic Hash Database that=20 was announced and NSRL). Or, you could import tens of hash databases=20 and identify them as bad or good (like hashkeeper). I think hashkeepr is LE-only, so I would rather focus on using NSRL and=20 custom hashes made by md5sum. If anyone is interested in working on a=20 workable solution to this, let me know. brian ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
