timesketch icon indicating copy to clipboard operation
timesketch copied to clipboard

Published 20 hours ago verified publisher icon google

hashR analyzer

Open jkppr opened this issue 2 years ago • 0 comments

This PR contains a new analyzer hashr_lookup that allows to collect sha256 values in timelines and query them against the upcoming hashR project database.

hashR TL;DR: hashR is a tool to process and extract file hashes from image files. These hashes will be stored in a postgres database that then can be queried for "known hashes" and in which images they were found.

  • What new feature is being introduced with this PR?
    • The hashr_lookup analyzer collects sha256 hashes from a given timeline and checks them against the hashR database. If there is a hit the event can be tagged or get an attribute:
      • Tag with hashR to indicate that this is a known hash from the processed images.
      • Tag with zerobyte file if the hash is equal to the hash of a file with zero bytes.
      • Optionally: Add an attribute to the event that contains information in which images this hash has been seen.
  • Overview of changes to existing functions if required.
    • Small extension to the timesketch.conf file adding the database setting infos for the hashR database.

Checks

  • [X] All tests succeed.
  • [X] Unit tests added.
  • [ ] Documentation updated.

jkppr avatar Jul 29 '22 14:07 jkppr