Announcement

Collapse
No announcement yet.

Comparing list of files with a hashlist

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Comparing list of files with a hashlist

    Hey,
    I'm investigating a case in which my goal is to identify malware.
    There are two ways in which OSForensics seems to be almost-helpful but isn't:
    1. Showing what files of the image are not in the hashlist (when compared to NSRL, for example) - so I can inspect them manually and look for malicious files.
    2. Showing what files of an image *are* in the hashlist (when compared. for example, to the keyloggers hashlist) - so I can identify known malware. This feature would have been extra useful if I could incorporate OpenIOC signatures.

    This is the first time I'm using OSForensics. Is there a way to accomplish those tasks and I just haven't found it yet?

    I saw an old thread where someone asked for this feature, but the answer revolved mostly on the time-of-analysis ( http://www.passmark.com/forum/showth...e-NSRL-HASH-DB ). I don't mind if it takes longer. I want to know with a high-certainty that I found all there is to find.

    - Jonathan

  • #2
    I am not sure what you are asking for. With OSF you can identify files that match (or don't match) a list of hashes. Are you just asking for step by step details of how to do this?

    The other thread you referenced was talking about indexing files (for doing keyword searches).

    I am not familiar with the OpenIOC signatures, but had a look at their web site this morning. In the seven example "IOC" signatures they provide there were no file hashes. So I don't know how relevant this is to hashing. Are you wanting to do keyword searches?

    Comment


    • #3
      Hi David,

      I don't know if my hash question matches Jonathan's...but yes, I would like step by step details on how to get OSF to identify files that match (or don't match) a hash list.

      Here's what I thought I could do: I imported the NSRL and made it active. Then I wanted to create an index (custom template) that would exclude OS files that match the hash list for that OS. This would leave me with the folder structure intact and any files that didn't match. I couldn't figure out how to create a custom template to give me that so...

      Then I thought there would be a spot in the search index to select a hash list so you could exclude things that match the hash list from your search...but I only see a way to select a word search list. When I click on the file types it only has text file extension in the drop down.

      Regards,

      Lew

      Comment


      • #4
        I would like step by step details on how to get OSF to identify files that match (or don't match) a hash list.
        Here is an example. But the process depends on what your ultimate goal is. Here I am assuming you want to find files that match (or don't match) a existing list of hashes in a particular folder.

        The following assumes you already have a open case (with a disk under under investigation) and a hash set loaded up.

        1. In the "Hash set" module, right click on your hash set and select "Make active" from the menu.
        2. In the "File name search" module, pick a "Start folder" and any other criteria, such as date range that interests you.
        3. Click "Search".
          You should see a list of files appear.
        4. Right click on a file in the listing and pick "Select All" from the menu. All the files should now be highlighted.
        5. Right click on a files in the listing and pick "Look up in hash set" from the menu. Then wait for the hashing process to finish. This can take a while if you are hashing thousands of files.
          You can right click and export a list of hits as a text file from this window if you want. Otherwise close the window.
        6. Back in the file listing you can now select the sorting option "In hash set" to group all the hits (and misses) in the file listing window. See the example screen shot below.


        Comment

        Working...
        X