Re: Decent Win32 utility for hash set creation, organization, and manipulation?

From: Michael Rutledge (dirutmwat_private)
Date: Thu Jul 24 2003 - 06:06:48 PDT

Next message: H Carvey: "Re: Decent Win32 utility for hash set creation, organization, and manipulation?"

Previous message: Mark G. Spencer: "Decent Win32 utility for hash set creation, organization, and manipulation?"
In reply to: Mark G. Spencer: "Decent Win32 utility for hash set creation, organization, and manipulation?"
Next in thread: H Carvey: "Re: Decent Win32 utility for hash set creation, organization, and manipulation?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

NIST (National Institute of Standards and Technology) has a large set of hashes
for known "good" OS files and known "bad" contraband and rootkits.  I believe
they are up to 1.4 GB of hashes, but it might be useful.

NIST Website: http://www.nsrl.nist.gov

Michael W. Rutledge
Computer Science Graduate Student
Computer Forensics and Information Assurance
Mississippi State University
mwr3at_private


"Mark G. Spencer" wrote:

> I would like to start building some decent "notable" hash sets for use in my
> investigations, but have not found a decent Win32 utility for creating,
> organizing, and manipulating hash sets.
>
> The method I've used in the past is too cumbersome for serious work, which
> includes the manual creation of .hsh and .hke files in HashKeeper format.
>
> HSH file includes:
>
> file id
> hashset_id
> Filename
> Directory
> Hash
> File size
> Date modified
> Time modified
> Time zone
> Comments
> Date accessed
> Time accessed
>
> HKE file includes:
>
> hashset id
> name
> vendor
> package
> version
> authenticated flag
> notable flag
> initials
> number of files
> Description
> Date loaded
>
> Based on the number of hashes that HashKeeper and NSRL have compiled, I'm
> assuming they must have a better way to work with hash sets than manually
> creating and editing these .HSH and .HKE files.
>
> Since I want to share my notable hash sets, I will probably make good use of
> most (if not all) of the fields provided above so that my hashes are useful.
>
> Any advice is greatly appreciated!
>
> Mark G. Spencer
> Computer Forensics Examiner
> EvidentData, Inc.
> Phone: 909.948.7714
> Direct Fax: 508.256.0463
> Office Fax: 909.948.4365
> Web: http://www.evidentdata.com
>
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: H Carvey: "Re: Decent Win32 utility for hash set creation, organization, and manipulation?"
Previous message: Mark G. Spencer: "Decent Win32 utility for hash set creation, organization, and manipulation?"
In reply to: Mark G. Spencer: "Decent Win32 utility for hash set creation, organization, and manipulation?"
Next in thread: H Carvey: "Re: Decent Win32 utility for hash set creation, organization, and manipulation?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 24 2003 - 06:16:11 PDT