[sleuthkit-developers] Fwd: NSRL Categories

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I emailed Doug White at NIST to let him know this was being discussed. 
Many interesting things in here:

Begin forwarded message:

> From: dw...@ni...
> To: "Brian Carrier" <ca...@ce...>
> Subject: Re: NSRL Categories
>
> Brian - thanks a LOT for calling that to my attention.
>
> Feel free to share anything in this mail with the list - I wanted to 
> get
> back ASAP and didn't look into signing up on the list (yet).
>
> First - I'm open to any suggestions about formalizing the application
> type fields. They are completely arbitrary, taken off the boxes that 
> the
> software arrives in. We try not to create new types, realizing that too
> many would be useless, but they could be better defined. I look forward
> to hearing other's ideas about this.
>
> Second - we have moved over to a completely open source-based
> hashing environment in our lab and are running parallel tests. The
> DBMS is MySQL, and we plan to replicate the tables from our lab server
> to a publicly accessible server and publish the port/connection 
> information.
> If we can offer ODBC access to the world (with a throttle) and web 
> access
> like the Sun fingerprints, along with the RDS downloads, that should
> go a long way. There was some thought about a DNS-like hash lookup
> protocol, but that's been shelved. Any other thoughts are welcome!
>
> Third - since we've migrated to open source, we're building 
> Knoppix-like
> boot CDs (one for server, one for cluster nodes) that any organization
> can use on existing computers to replicate our hashing cluster, and
> produce RDS-format hashsets. (sweet, use existing computers without
> perturbing them) So hopefully everybody and their brother will be 
> making
> ***and SHARING*** hashsets, and nailing down the categories now, before
> we start handing out CDs would be great.
>
> Fourth - as far as "huge amounts of data" you ain't seen nothin yet.   
> :-)
> We're doing hashes of 512 Byte blocks, and the rule of thumb there is
> plan to collect half the amount of the raw data: 4GB of files = 2GB of
> hashes.
> We've got 1.75TB of application files... we should start with "known 
> bad".
> I mention this because I saw someone was concerned about virus 
> mutations.
> What's the chance that a virus will mutate and NOT change a byte in 
> every
> 512B block? With the block hashes, an investigator (with time and 
> space)
> could use dcfldd to get MD5's of each block while imaging a disk and
> compare those with the NSRL block hashes, i.e. Darl.exe doesn't match
> the SHA/MD5 of any other file, but 3 of the 5 blocks match blocks from
> MyDoom... busted! (well, not THAT easy, or I'd have $250,000 now)
>
>
> Finally - we are going to have a workshop at NIST Gaithersburg on
> Tuesday June 29, "Digital Forensics Using Hashsets". We aim to bring
> digital forensic tool users, digital forensic tool vendors, and hashset
> producers
> together to expand user awareness, improve tool capabilities and guide
> hashset development. It would be great to get some people from the list
> at this workshop.
> Registration cost $105
> Lodging: NIST has a block of rooms available at $99/night (below per 
> diem)
> Attendees will receive the most current NSRL hashset, lunch is 
> provided,
> access to vendor display area. Vendors may request booth space via the
> registration form.
> We will be linking in more info on www.nsrl.nist.gov very soon.
>
> Again, thanks for dropping me a note, and I hope this brain dump
> spurs on improvements for the community.  Doug
>
>> I just wanted to let you know that there is an effort going on in the
>> sleuthkit-developers list about defining some categories for hash
>> databases.
>
>
> Douglas White           National Institute of Standards and Technology
>     National Software Reference Library - www.nsrl.nist.gov
> NIST, 100 Bureau Drive Stop 8970, Gaithersburg, MD 20899-8970
> Voice: 301-975-4761   Fax: 301-926-3696   Email:dou...@ni...
> My opinions aren't necessarily my employer's nor any other
> organization's.
>     _.__ _.__ __..       "There is no spoon."       _.__ _.__ __..