1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
Tsk Hash Lookup Module
Sleuth Kit Framework C++ Module
May 2012
This module is for the C++ Sleuth Kit Framework.
DESCRIPTION
This module is a file analysis module that looks up a file's MD5
hash value in one or more hash databases that have been indexed using the
Sleuth Kit's hfind tool. Hash databases are used to identify files that are
'known' and previously seen. Known files can be both good (such as standard
OS files) or bad (such as contraband).
DEPLOYMENT REQUIREMENTS
The module requires that at least one hash database indexed using the Sleuth
Kit's hfind tool is specified in its arguments. See the link below for instructions
on using the Sleuthkit's hfind tool to create an NSRL database index file.
http://www.sleuthkit.org/informer/sleuthkit-informer-7.html#nsrl
USAGE
Add this module to a file analysis pipeline. See the TSK
Framework documents for information on adding the module
to the pipeline:
http://www.sleuthkit.org/sleuthkit/docs/framework-docs/
This module takes a semi-colon delimited list of arguments:
-k <path> The path of a 'known' files hash database.
-b <path> The path of a 'known bad' or 'notable' files hash database.
Multiple 'known bad' hash sets may be specified.
-s A flag directing the module to issue a pipeline stop request if
a hash set hit occurs.
RESULTS
Each hash set hit that is found is posted to the blackboard. If directed to do
so, the module will also stop the file analysis pipeline for the file when a hit
occurs.
TODO:
- Make a downstream module to issue stop requests after reading results
from the blackboard. This would allow for multiple decision making criteria
and would support the ability to insert additional processing between the
look up and the decision.
|
