HashDig Mechanics


Summary

This exercise directs the student to perform hash resolution using the HashDig tool suite. The student will create an RPM reference database and a subject database then resolve the subject hashes using the reference database. Finally, the resolved hashes will be bound back to the original filenames.


Requirements


Resources


Tasks

  1. Read the HashDig document and answer the following questions:

    1. What is HashDig?

    2. List the steps in the hash resolution workflow.

    3. Why is it important that hashdig-harvest.pl and hashdig-bind.pl support many formats?

    4. In your own words define the term 'subject database'.

    5. In your own words define the term 'reference database'.

  2. Use the rpm command to dump all file information of all the RPM's installed on your system and redirect into the file rpm.raw, then answer the questions below.

    1. What is the affect of combining the '-q' and '-a' options for the rpm command?

    2. What is the purpose of the '--dump' option for the rpm command?

    3. What is the command used to accomplish this task?

    4. Using the wc command, how many files are listed in rpm.raw and show the command used?

    5. Which field in rpm.raw contains the MD5 hash?

    6. Which field in rpm.raw contains the filename?

  3. Use hashdig-harvest.pl to harvest the hashes from rpm.raw and produce rpm.hd, then answer the questions below.

    1. What is the default category if one is not specified?

    2. When would you use a the unknown (U) category?

    3. When would you use the known (K) category?

    4. Are the hashes from the RPM's considered known or unknown? Why?

    5. For the hashdig-harvest.pl tool, what is the type of data contained in rpm.raw?

    6. What are the other data types supported by the hashdig-harvest.pl tool?

    7. What is the command used to accomplish this task?

    8. What is the field delimiter used in rpm.hd?

    9. How many fields are there in rpm.hd?

    10. How many files are listed in rpm.hd?

    11. Why doesn't the number of files listed in rpm.hd match the number of files listed in rpm.raw?

  4. Use hashdig-make.pl to take the hashes from rpm.hd and create the hashdig database rpm.db, then answer the questions below.

    1. What is the purpose of the '-F' option and when is it generally used?

    2. What is the purpose of the '-i' option and when is it generally used?

    3. What is the command used to accomplish this task?

    4. How many records were accepted, rejected, inserted, and updated?

  5. Run the file command on the rpm files as shown below, then answer the questions following.

    file rpm.??
    
    1. What is the file type of rpm.db?

    2. What is the file type of rpm.hd?

    3. What is the purpose of the hashdig file format (rpm.hd)?

  6. Create the subject database for subject.img.gz , then answer the questions below. To accomplish this task, download subject.img.gz, place it in the /tmp/hd directory, unpack it, mount it read only on the loopback device using /SUBJECT as the mount point. Map it using ftimes, show the command used and the confige file used. Extract the hashes using hashdig-harvest.pl, and create a HashDig database using hashdig-make.pl. Produce the following files:

    subject.map
    subject.hd
    subject.db
    
    1. What were the commands used to accomplish this task?

    2. How many complete records does ftimes identify?

    3. How hashes are accepted by hashdig-make.pl?

  7. Use hashdig-stat.pl to summarize the databases listed below, then answer the following questions.

    subject.db
    subject.hd
    rpm.db
    rpm.hd
    
    1. What information does hashdig-stat.pl provide?

    2. What is the type used to process hashdig files?

    3. What is the type used to process hashdig databases?

    4. What is the command used to process the hashdig files?

    5. Complete the following table below filling in the appropriate counts from the hashdig-stat.pl command.

    6. KCountUCountICountACountFilename
      ________________________________________subject.hd
      ________________________________________rpm.hd
      ________________________________________totals
    7. What is the command used to process the hashdig databases?

    8. Complete the following table below filling in the appropriate counts from the hashdig-stat.pl command.

    9. KCountUCountICountACountFilename
      ________________________________________subject.db
      ________________________________________rpm.db
      ________________________________________totals

  8. Use hashdig-bash.pl to resolve the hashes using the rpm.db reference and the subject.db subject databases. Copy subject.db to subject.db.orig as shown in the command below, then answer the following questions.

    cp subject.db subject.db.orig
    
    1. How many hashes does hashdig-bash.pl tag?

    2. The '-i' option in hashdig-bash.pl specifies either the subject or reference database as the iterator during analysis. Why would you want to use the smaller database as the iterator?

  9. Use hashdig-dump.pl and hashdig-bind.pl to bind the resolved hashes to the filenames liste in subject.map.

    1. What is the purpose of hashdig-dump.pl?

    2. Since hashdig-make.pl takes a hashdig file as input and outputs a hashdig database, what does hashdig-dump.pl take as input and what does it output?

    3. What type should be used to bind resolved hashes back to the subject.db file?

    4. What is the command used to bind resolved hashes back to the subject.map file?

    5. What are "bound" files?

    6. How many total files are there?

    7. How many directories are there?

    8. How many indeterminate files are there?

    9. How many symbolic link files are there?

    10. How many special files are there?

    11. How many files are categorized as known?

    12. How many files are categorized as unknown?

    13. What are the fields in a "bound" file?

  10. Compare the HashDig resolution system with another real-world forensic resolution system.

  11. Clean up your work area by executing the commands below.

    cd /tmp
    umount /SUBJECT
    rm -rf /tmp/hd /SUBJECT
    


Challenges

  1. Download all of the root kits available from http://packetstormsecurity.com/, create a "known bad" reference database and use that database to resolve the subject hashes.


Hints

  1. You can see the man page documentation for the HashDig tools by typing perldoc and the command. For example:

    perldoc hashdig-bind.pl
    

  2. You can find out all of the configure options using the command below:

    ./configure --help
    


Warnings

  1. It can take several minutes to execute hashdig-make.pl on slower machines and using larger data sets.