ptyo wrote:
And when going through the www.sleuthkit.org/informer/ I seen where Brian Carrier stated the list from NSRL contains all files even say trojan horses or root kits, which shouldn't matter in what I'm currentlly doing I don't think. Just curious is to can you go through the hashes and say seperate so you have a hash of files like hacking tools etc....
No, not really. The NSRL files are just 'known' files, i.e. files that a user hasn't edited or modified, but there's no way to say from the data if one particular hash identifes a known-good or a known-bad file.
The hashes are classified, so you can find 'hacking tools' in there, but that typically only means that everything on a CD or equivalent package was identified as such, usually from the CD sleeve or label. If there was a copy of the GNU Public License on a 'hacking tools' CD, it would also have been classified as 'hacking tool'. And if there was a Microsoft runtime redistributable package on it, it would also have been identified as a 'hacking tool' -- which obviously isn't correct.
There are instructions how to create a 'known-bad' list from the NSRL hashes on the net (in some SANS blog, I believe), but I wouldn't recommend anyone trusting them without doing a careful analysis of the hashes on their own.
↧