Re: [sleuthkit-developers] First Draft - Layout Hash Database

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

[the list server is so slow this week.  I forwarded a message this 
morning and it still hasn't been posted].

So, after thinking about this thread some more, there are two problems 
that are being addressed at the same time and I think they can be more 
independent and I think the merging has caused some confusion.

1.  A small set of application categories for any hash database.

2.  An implementation of a database that can import hashes from 
multiple sources.

As I mentioned before, the categories are a problem with all databases 
and I think it would be useful if we could publish a list with 
requirements for each category.  From Doug's email, it sounds like NIST 
would be interested in such categories (assuming that they are 
comprehensive and make sense).

For the implementation, it seems that we need to have a clear goal for 
the DB.  Is it for a comprehensive DB or is it just for quick good vs 
bad lookups.  Both are needed, but can we satisfy both goals with one 
DB?  Or, could that be an option at install time.  They can chose the  
quick / dirty / less data version or the full version.  I'm not a DB 
guy, so I have no clue what the answers for this are.

It has occurred to me that there should be a 'source' column in the 
database, so that the entry can be attributed to the NSRL, hashkeeper, 
custom etc.  A version may also be useful.  This is also useful so that 
you can remove the hashes from the DB at a later point.

thanks,
brian