NIST (National Institute of Standards and Technology) has a large set of hashes for known "good" OS files and known "bad" contraband and rootkits. I believe they are up to 1.4 GB of hashes, but it might be useful. NIST Website: http://www.nsrl.nist.gov Michael W. Rutledge Computer Science Graduate Student Computer Forensics and Information Assurance Mississippi State University mwr3at_private "Mark G. Spencer" wrote: > I would like to start building some decent "notable" hash sets for use in my > investigations, but have not found a decent Win32 utility for creating, > organizing, and manipulating hash sets. > > The method I've used in the past is too cumbersome for serious work, which > includes the manual creation of .hsh and .hke files in HashKeeper format. > > HSH file includes: > > file id > hashset_id > Filename > Directory > Hash > File size > Date modified > Time modified > Time zone > Comments > Date accessed > Time accessed > > HKE file includes: > > hashset id > name > vendor > package > version > authenticated flag > notable flag > initials > number of files > Description > Date loaded > > Based on the number of hashes that HashKeeper and NSRL have compiled, I'm > assuming they must have a better way to work with hash sets than manually > creating and editing these .HSH and .HKE files. > > Since I want to share my notable hash sets, I will probably make good use of > most (if not all) of the fields provided above so that my hashes are useful. > > Any advice is greatly appreciated! > > Mark G. Spencer > Computer Forensics Examiner > EvidentData, Inc. > Phone: 909.948.7714 > Direct Fax: 508.256.0463 > Office Fax: 909.948.4365 > Web: http://www.evidentdata.com > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 24 2003 - 06:16:11 PDT