RE: [sleuthkit-users] Good vs. Bad Hashes
Brought to you by:
carrier
Menu
▾
▴
RE: [sleuthkit-users] Good vs. Bad Hashes
|
From: McMillon, M. <Mat...@qw...> - 2004-01-21 22:23:11
|
> That still leaves the problem of organizing what is "good" though. is > pcAnywhere a good or bad hash? Depends on the investigation. I suppose this is why NSRL took the approach of simply categorizing all the hashes as "known" and anything that wasn't in the DB as "unknown." One simple way to approach this would be to have the option to import individual hashes or hash sets based on some category tree structure, and then select the option of 1) display all files that match the imported hashes, 2) display all files that don't, 3) display file whose hashes match, but file names don't, etc.. Kind of an "autopsy reports, you decide" tact. <--- hoping I don't get sued by Fox News. >There are Application types in the schema, but I'm not sure how they=20 >were chosen or how many there are. You can see a list here: Seems to map somewhat to the members of the Software Business Alliance, but since NIST is a "neutral" organization I doubt there is any connection there :)=20 |
