[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Eternal 'good file hashes' list

On Wed, Oct 21, 2009 at 12:00:23AM +0200, nodata wrote:
> Am 2009-10-20 23:48, schrieb Till Maas:

>> Having a hash list of well known files might also help in forensics
>> analysis to find suspicious files. Also with determining the correct RPM
>> NVR one could use the repo metadata to check wether there are known
>> vulnerabilities for certain files or just to detect that the file is not
>> from an uptodate RPM.

> How is this check going to be done?

The hash for each file on a filesystem is computed and then compared
with the list.

> Is the filesystem going to be mounted in a known clean environment? If  
> not, what's the point?

Filesystems can also be accessed without actually mounting it. But a
clean environment should off course be used.

> If yes, how do you know the filesystem hasn't been returned to a clean  
> state?

The process of forensics analysis is more complex than just running one
single command. Nevertheless getting a list of suspicious files can lead
to find the information one is interested in. And if all files match the
hash of a well known file, then this information can also be used to
decide to investigate using other methods.


Attachment: pgptPaKgVyjq0.pgp
Description: PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]