Skip to content

hashlookup-forensic-analyser version 1.0 released

Compare
Choose a tag to compare
@adulau adulau released this 07 May 15:58
· 21 commits to main since this release
v1.0
408d7cc

A new version of the hashlookup-forensic-analyser has been released including a new --live-linux option to verify running process on a Linux machine if these are known or unknown binaries on hashlookup service.

This version 1.0 is considered as stable following the feedback received by the different users. Don't hesitate to provide feedback or ideas by opening issues.

New --live-linux option

python3 hashlookup-analyser.py --cache --print-unknown --live-linux. The option is actually reading the /proc directory to find all running processes and due to the fact the ./exe file in proc directory is the actual file, you can quickly find the known/unkown files from the running processes.

hashlookup-version-1 0

Complete changelog available below:

v1.0 (2022-05-07)

New

  • [progress] disable progress option --disable-progress as progress is by default nowadays. [Alexandre Dulaunoy]

  • [live_linux] new --live-linux option to display known and unknown processes running from a running linux instance. [Alexandre Dulaunoy]

    The process hashes are read from the /proc/PID/exe which is the actual
    file running before being loaded in memory.

Changes

  • [lint] increase code complexity. [Alexandre Dulaunoy]

  • [code] black -S [Alexandre Dulaunoy]

  • [hash] skip bandit check on weak hash. [Alexandre Dulaunoy]

  • [hashlib] the library is not used for security per se but for forensic and use SHA1 as the lookup service gives more potential results in SHA1 (due to old NSRL dataset) [Alexandre Dulaunoy]

  • [file] black -S [Alexandre Dulaunoy]

  • [doc] updated with new options. [Alexandre Dulaunoy]

Fix