> > From: "Simson L. Garfinkel" <simsongat_private> > Date: Sun Jan 26, 2003 8:55:18 AM US/Eastern > To: James.Holleyat_private > Cc: "Simson L. Garfinkel" <slgat_private>, "Chris Reining" > <creiningat_private>, forensicsat_private, "Mark G. > Spencer" <mspencerat_private>, "Matt Scarborough" > <vexversaat_private> > Subject: MD5 Collection Project > > > James, > > The NIST project is very good, and they do have the largest collection > of MD5 and SHA-1 codes. The codes are sold on CDROM and can be > imported directly into disk drive forensic tools such as EnCase and > FTK. They are pulling the data directly from CAB files, rather than > doing full installs. It's very efficient. > > My idea of the MD5 collection project was similar to this, but > somewhat different. > > First, I wanted to use MD5 rather than SHA-1 because, in my testing, > MD5 can be calculated in roughly 1/3 the time as SHA-1 and it is just > as good unless intentional subversion is taking place (and, in fact, > it may be just as good in the light of intentional subversion). > > I was interested in creating two key pieces of technology. The first > is the website/database backend which would have both a SOAP and a > conventional HTTP/HTML interface. The database would allow people to > register "sets" of MD5s and then as many MD5s in that set as they > wanted. I would probably also have a query that works over DNS, since > DNS goes through every firewall. (side note: has anybody created a SSH > tunnel through DNS yet?) > > The second piece of technology would be an agent that people could run > on a computer; the agent would calculate the MD5 of every file on your > system and would then compare these with the MD5s stored on the > database. This was a direct result of my hard drive project: I'm > looking for "confidential" files on a computer, and, for a first > approximation, anything that has been seen before is not confidential. > > The agent would also allow allow you to create your own set and submit > them to the database. In this way, it would be possible to get many > more MD5s over time. Some of them could be submitted with extensive > details; in this way, the MD5 collection project could incorporate the > other MD5/SHA-1 databases out there at this time. > > I haven't gotten as far on this project as I had wanted, the result of > school work and then the blow-up of my IEEE paper. But now I'm able to > focus some time on this and plan to move ahead. If people are > interested, I'd be happy to set up a sub-discussing group to look at > issues such as database schema, database replication, code generation, > etc. > > -Simson ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jan 27 2003 - 07:03:40 PST