Anyone using something other than Hashkeeper, or EnCase with the NSRL?
Like a simple Perl script - that is also available for sharing?
Check the External Feeds section for Computer Forensics, Malware Analysis & Digital Investigation. Lance Mueller has a script listed there that might work for you. Also, DigitalCorpora.org has a set of NSRL hashes in mysql tables (free.)
Thanks clownboy, but Lance is using EnScript unless i missed his other code, and the DB would still require a code.
Anyone using something other than Hashkeeper, or EnCase with the NSRL?
Like a simple Perl script - that is also available for sharing?
Can you be more specific, i.e., to do what?
The NSRL hashsets are nothing more than records. You can use anything from a shell script to Perl to utilize them so what is it that you want to do?
Anyone using something other than Hashkeeper, or EnCase with the NSRL?
Like a simple Perl script - that is also available for sharing?
N0thing that's for sharing … but then, these tools don't exist in a vacuum – they're parts of an environment. If you are using EnCase, you probably want something that works through an EnScript , and selects or unselects entries in the table view – a Linux tool or a .NET tool would not be of much use to you.
Anyway …
On Windows, there is the Microsoft Authenticode system that allows you to sign executables and .cab files and some other file formats digitally.
By verifying such a signature, you can verify if the file has ben changed or not. And then, by accepting the signature, you can decide if the signature is trustworthy. The first part is relatively easy – there are binaries that do this job (I think the one from Microsoft is called 'ChkTrust'). The second part – deciding if you trust the signing chain or the root is more difficult.
That is an alternative approach, and one that can be applied as long as the publisher does sign its files. I consider it stronger than standard hash databases, so I would apply this before I used NSRL or Hashkeeper hashes. It requires some knowledge of PKI, though.
Anyone using something other than Hashkeeper, or EnCase with the NSRL?
Absolutely. TSK/Autopsy work like a charm wrt NSRL.
The idea is to automate the culling of known applications from a large set of evidence.
Think - twenty machines chugging along on dozens of images each, removing irrelevant data.
If I use Enscript, I am using precious licenses.
So far TSK is the most sensible solution…