Re: [sleuthkit-developers] First Draft - Layout Hash Database
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] First Draft - Layout Hash Database
|
From: Brian C. <ca...@sl...> - 2004-01-28 14:41:33
|
> >>> Application entry: > So I suggest to make > another table where you classify the products into categories etc. > e.g.: > > product_code/application_code/package whatever code is appropriate > product category > > So the hash table should have information relating a specific hash to > MSword > for example, and this new table tells us that msword is an office app. > Similarly if we see a hash matching back orifice, we consult this new > table > to find that back orific is a hacker app. This is much more effective > than > having to redo the entire nsrl. That is a really good point. The only problem we are trying to solve is the number of application categories. We could even use all of the fields that the NSRL uses and write a program to read in the NSRL and output the NSRL with the new categories. With regard to separating by platform and more granular OS, I think that is useful for the operating system binaries. But, for applications that could be harder. Many windows apps run on different versions. If it has to be tied to every new Windows version, then it might be a pain to maintain. thanks, brian |
