Re: [sleuthkit-developers] First Draft - Layout Hash Database

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

> in cooperation with David Barroso I compiled a first  proposal
> for the structure of a hash database:

Great.

I thought about what software I have on my systems and tried to fit it 
in, so there are some questions about what goes where.  Could you maybe 
provide requirements for software to fit into each category?

> File entry:
> - sha1
> - md5
> - os
> - application
> - filename
> - filesize

It would be nice if each entry had a static size, so that we could jump 
around the text file of the database easily.  Therefore, there would be 
an index that correlates an application type to an integer.  I would 
think that doing integer comparisons would be faster than string 
comparisons though when looking entries up.  That maybe a pain to 
manage though.

> Application entry:
> - remote management
> - office tools

Would adobe acrobat reader and calendars fit into this category?

> - database
> - desktop

What are examples of this category?  games?

> - server daemons
> - web

A general name like network may scale better.  Would email tools fit in 
here too?

> - multimedia
> - drivers
> - development
> - sysutils
> - security

Would this include tools that are frequently called "hacker" tools too? 
  This category could be difficult and controversial to maintain, but I 
don't know of a better way to do it...

> - known-bad

Should there be a known-good too?  I can imagine a situation where 
someone hashes his /bin/, /sbin/, /usr/local/bin ... directories and 
doesn't want to have to identify the category of each file.

> - other

Where would child-porn fit into this?  known-bad?  That seems to be one 
of the biggest categories of hashes and may warrant its own category.

> Operation system entry:
> - Linux
> - Windows
> - BSD
> - Mac
> - MacOSX
> - Solaris
> - DOS
> - Handheld OS
> - AIX
> - HP-UX
> - Other

MacOS probably shouldn't get a separate category from OSX unless Win 
'98 is also separated from Win XP.  The specific types in BSD should be 
defined (since OS X is actually a variant of BSD).  The Solaris 
category should also include SunOS.

> Questions so far:
> Do we need a separate architecture field for a hashsum entry ? This 
> will
> require an additional search parameter later.

Probably not.

> Does anyone need a crc32 entry with the hashsum ?

I don't think it is needed.  It is not best practice to  use CRC, so 
there isn't much point in including them.

> Did we miss important fields ?

SHA-2 maynot be a bad idea.  I recall threads in the past on other 
lists about using SHA-2, so we may want to make a field for it (even 
though the public DB don't use it  yet).  It can take the place of 
CRC32.

Is the file size needed?  I'm trying to think of a scenario where that 
would be needed.

> Did we miss important questions ;-)

This looks good.  I think more requirements for each app category would 
be useful though.

thanks,
brian