tag:blogger.com,1999:blog-9518042.post110855458551873281..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Rootkit detection, the MS wayUnknownnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-9518042.post-1108637720456039172005-02-17T05:55:00.000-05:002005-02-17T05:55:00.000-05:00Excellent idea, and I do think that the Ghostbuste...Excellent idea, and I do think that the Ghostbuster paper mentions hashes at one point...I'll have to go back and check.<br /><br />Data reduction is always good...if you can winnow down the data, you're more likely to focus on the important things. <br /><br />However, given Windows 2000, XP (Home and Pro), and Windows 2003, with all of the various Service Packs and Hotfixes for each, I wonder if something like that may fit on a CD. If not, perhaps the CD would need to be able to "phone home" in some manner.<br /><br />One thing that is evident, though...while hashes are a good idea for data reduction, they're also used to solve a problem that isn't something that's specifically addressed by the Ghostbuster paper. The issue raised in the Ghostbuster paper is that of files hidden by API hooking (or other mechanisms employed by rootkits). Data reduction is inherent to the method used by Ghostbuster. Much like tools written for *nix, Ghostbuster does one thing, and does it well. I think Windows users are probably too used to "feature creep", where a great deal of additional functionality is added to a simple tool.<br /><br />Besides, if you hash a file, rather than simply pull it's name and last access time from a directory listing, you inherently alter the last access time of that file. The initial description of the tool in the Ghostbuster tool inherently preserves that information. <br /><br />It's definitely something to consider...<br /><br />Again, thanks for the excellent comments.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1108589822290003692005-02-16T16:37:00.000-05:002005-02-16T16:37:00.000-05:00I haven't checked out the papers yet, but it would...I haven't checked out the papers yet, but it would seem to me a pretty useful tool would be something that does a hash value on each file and excludes it by comparing it to a set of known has values. If the hash doesn't match a file that also shows up in a dir /s /a, wouldn't that be an easy way of picking out these files that are renamed? Maybe I'm totally off base, but we use that in the forensic community as a way of eliminating known good files.Anonymoushttps://www.blogger.com/profile/13441809988487585009noreply@blogger.com