-
Notifications
You must be signed in to change notification settings - Fork 1
/
hashlookup-format.xml
237 lines (205 loc) · 26.2 KB
/
hashlookup-format.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
<?xml version="1.0" encoding="utf-8"?>
<!-- name="GENERATOR" content="github.com/mmarkdown/mmark Mmark Markdown Processor - mmark.miek.nl" -->
<rfc version="3" ipr="trust200902" docName="draft-00" submissionType="independent" category="info" xml:lang="en" xmlns:xi="http://www.w3.org/2001/XInclude" indexInclude="true">
<front>
<title abbrev="hashlookup format">hashlookup format</title><seriesInfo value="draft-00" stream="independent" status="informational" name="Internet-Draft"></seriesInfo>
<author initials="A." surname="Dulaunoy" fullname="Alexandre Dulaunoy"><organization abbrev="CIRCL">Computer Incident Response Center Luxembourg</organization><address><postal><street>16, bd d'Avranches</street>
<city>Luxembourg</city>
<code>L-1160</code>
<country>Luxembourg</country>
</postal><phone>+352 247 88444</phone>
<email>alexandre.dulaunoy@circl.lu</email>
</address></author><author initials="J-L" surname="Huynen" fullname="Jean-Louis Huynen"><organization abbrev="CIRCL">Computer Incident Response Center Luxembourg</organization><address><postal><street>16, bd d'Avranches</street>
<city>Luxembourg</city>
<code>L-1160</code>
<country>Luxembourg</country>
</postal><phone>+352 247 88444</phone>
<email>jean-louis.huynen@circl.lu</email>
</address></author><date year="2022" month="June" day="23"></date>
<area>Security</area>
<workgroup></workgroup>
<abstract>
<t>This document describes the hashlookup output format used to express meta information of hash values seen in databases of known files.
The output description includes a common semantic. The hashlookup format is used by public and private digital forensics investigations services.</t>
</abstract>
</front>
<middle>
<section anchor="introduction"><name>Introduction</name>
<t>Digital forensics is a critical field in information security and especially incident response. Providing intelligence
about known set of files is crucial to avoid wasting efforts while conducting digital investigations. hashlookup format provides a common output format for
diverse known databases of file hashes. Those databases are, for example, the NIST National Software Reference Library (NSRL) or
Known File Filter (KFF) lists used in digital forensics software.</t>
<section anchor="conventions-and-terminology"><name>Conventions and Terminology</name>
<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>",
"<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this
document are to be interpreted as described in RFC 2119 <xref target="RFC2119"></xref>.</t>
</section>
</section>
<section anchor="format"><name>Format</name>
<section anchor="overview"><name>Overview</name>
<t>The hashlookup format follows the JSON <xref target="RFC8259"></xref> format. The intent of this output to be easily
parsed by machines or generated by software in stream mode. Each JSON object is expressed on a single
line to be processed by the client line-by-line. Examples of JSON output are presented below.</t>
</section>
<section anchor="rational"><name>Rational</name>
<t>The main goal of the hashlookup format is to share common fields and to easily combine results from different sources. There are different reference library which are used in different uses-cases such as:</t>
<ul spacing="compact">
<li>Conducting digital forensic investigation and trace the origin of released software distribution</li>
<li>Tracing the origin and especially the overlap between software distribution to conduct copyright assessment</li>
<li>Improve and support cyber supply chain and its risk management</li>
</ul>
</section>
<section anchor="fields-format"><name>Fields Format</name>
<t>As there is a wide variety of sources with various granularities of information available, the hashlookup format has been made quite lax regarding the mandatory fields. The only condition is to have at least one cryptographic hash or fuzzy hashing value <bcp14>MUST</bcp14> be present in an hashlookup JSON object.</t>
<t>The following sections define the JSON fields which are permissible. The values in the key-value pairs are strings.</t>
<section anchor="cryptographic-hashing"><name>Cryptographic hashing</name>
<t>The cryptographic hashing value <bcp14>MUST</bcp14> be a JSON string. The string represents the hashed value of the file represented. The string <bcp14>MUST</bcp14> be the hexadecimal representation of the hash in upper case.</t>
<ul spacing="compact">
<li><tt>MD5</tt></li>
<li><tt>SHA-1</tt></li>
<li><tt>SHA-256</tt></li>
<li><tt>SHA-512</tt></li>
</ul>
</section>
<section anchor="fuzzy-hashing-context-triggered-piecewise-hashing"><name>Fuzzy hashing (Context Triggered Piecewise Hashing)</name>
<t>The fuzzy hashing value <bcp14>MUST</bcp14> be a JSON string. The string represents the hashed value of the file represented.</t>
<ul spacing="compact">
<li><tt>TLSH</tt></li>
<li><tt>SSDEEP</tt></li>
</ul>
</section>
<section anchor="additional-fields"><name>Additional fields</name>
<t>Additional fields <bcp14>MAY</bcp14> be present to describe additional metadata from the file. The value <bcp14>MUST</bcp14> be a JSON string.</t>
<ul spacing="compact">
<li><tt>FileName</tt>: Filename of the hashed file (NSRL)</li>
<li><tt>FileSize</tt>: FileSize of the hashed file (NSRL)</li>
<li><tt>CRC</tt>: CRC of the hashed file (NSRL)</li>
<li><tt>SpecialCode</tt>: Special code of the hashed file (NSRL) as described in <xref target="NSRL-RDS"></xref></li>
<li><tt>OpSystemCode</tt>: OpSystemCode of the hashed file (NSRL) as described in <xref target="NSRL-RDS"></xref></li>
<li><tt>ProductCode</tt>: ProductCode of the hashed file (NSRL) as described in <xref target="NSRL-RDS"></xref></li>
<li><tt>PackageName</tt>: Package Name of the hashed file as seen in metadata of Debian pakage format, RPM or similar package managers (CIRCL)</li>
<li><tt>PackageMaintainer</tt>: Package maintainer of the hashed file as seen in metadata of the Debian package format, RPM or similar package managers (CIRCL)</li>
<li><tt>PackageSection</tt>: Package section of the hashed file as seen in the metadata of the Debian package format, RPM or similar package managers (CIRCL)</li>
<li><tt>PackageVersion</tt>: Package version of the hashed file as seen in the metadata of the Debian package format, RPM or similar package managers (CIRCL)</li>
<li><tt>KnownMalicious</tt>: List of source considering the hashed file as being malicious (CIRCL)</li>
<li><tt>tar:gname</tt>: Group name used to create the Tar archive</li>
<li><tt>tar:uname</tt>: User name used to create the Tar archive</li>
<li><tt>source</tt>: Source of the hashed file</li>
<li><tt>db</tt>: Db where the hashed file come from (if it's an import of an existing dataset)</li>
<li><tt>insert-timestamp</tt>: When the hashed file has been inserted in the hashlooup database</li>
<li><tt>mimetype</tt>: Guessed mimetype of the file (CIRCL)</li>
<li><tt>nsrl-sha256</tt>: Specify if the file SHA-256 comes from the original NSRL SHA-1 to SHA-256 list</li>
</ul>
</section>
<section anchor="relationships-fields"><name>Relationships fields</name>
<t>Two <bcp14>OPTIONAL</bcp14> fields <tt>parents</tt> and <tt>children</tt> <bcp14>MAY</bcp14> be present to represent the relationships with other hashlookup objects. The <tt>parent</tt> or <tt>children</tt> field <bcp14>MUST</bcp14> be a JSON array.
The value is a JSON string representing one the hashing algorithms. The <tt>SHA-1</tt> is the <bcp14>RECOMMENDED</bcp14> algorithm for the relationship. Other algorithms <bcp14>MAY</bcp14> be used if SHA-1 is not available.</t>
</section>
</section>
<section anchor="sample-hashlookup-output"><name>Sample hashlookup output</name>
<section anchor="binary-file"><name>Binary file</name>
<artwork>{
"CRC32": "B4DD44A4",
"FileName": "./bin/ls",
"FileSize": "110080",
"MD5": "945FEDB3A3C290D69F075F997E5320FF",
"OpSystemCode": {
"MfgCode": "1006",
"OpSystemCode": "362",
"OpSystemName": "TBD",
"OpSystemVersion": "none"
},
"ProductCode": {
"ApplicationType": "Operating System",
"Language": "English",
"MfgCode": "534",
"OpSystemCode": "599",
"ProductCode": "163568",
"ProductName": "Vinux ",
"ProductVersion": "5.1"
},
"SHA-1": "5848386F77B4C60319C68B69C4594E29959381A2",
"SHA-256": "08AC13B08BFE4407E0F0C2E12E7F5B1B5E77EB817349A5EA1D836E83CD5ACB13",
"SpecialCode": "",
"parents": [
{
"FileSize": "1090622",
"MD5": "10A2318BE86F38A6ED113E16AABAA76B",
"PackageDescription": "GNU core utilities\n This package contains the basic file, shell and text manipulation\n utilities which are expected to exist on every operating system.\n .\n Specifically, this package includes:\n arch base64 basename cat chcon chgrp chmod chown chroot cksum comm cp\n csplit cut date dd df dir dircolors dirname du echo env expand expr\n factor false flock fmt fold groups head hostid id install join link ln\n logname ls md5sum mkdir mkfifo mknod mktemp mv nice nl nohup nproc od\n paste pathchk pinky pr printenv printf ptx pwd readlink rm rmdir runcon\n sha*sum seq shred sleep sort split stat stty sum sync tac tail tee test\n timeout touch tr true truncate tsort tty uname unexpand uniq unlink\n users vdir wc who whoami yes",
"PackageMaintainer": "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
"PackageName": "coreutils",
"PackageSection": "utils",
"PackageVersion": "8.21-1ubuntu5.4",
"SHA-1": "F335B669CCB7BA8A2FC8FAF315B1B4BFF9D4217F",
"SHA-256": "07995A739DAEBD60297F0E9C2B44DFAB0C735A0FE08FACC097ECE06BB4B9FA0B"
}
]
}
</artwork>
</section>
<section anchor="binary-file-package"><name>Binary file - package</name>
<artwork>{"FileSize": "1090622", "MD5": "10A2318BE86F38A6ED113E16AABAA76B", "PackageDescription": "GNU core utilities\n This package contains the basic file, shell and text manipulation\n utilities which are expected to exist on every operating system.\n .\n Specifically, this package includes:\n arch base64 basename cat chcon chgrp chmod chown chroot cksum comm cp\n csplit cut date dd df dir dircolors dirname du echo env expand expr\n factor false flock fmt fold groups head hostid id install join link ln\n logname ls md5sum mkdir mkfifo mknod mktemp mv nice nl nohup nproc od\n paste pathchk pinky pr printenv printf ptx pwd readlink rm rmdir runcon\n sha*sum seq shred sleep sort split stat stty sum sync tac tail tee test\n timeout touch tr true truncate tsort tty uname unexpand uniq unlink\n users vdir wc who whoami yes", "PackageMaintainer": "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>", "PackageName": "coreutils", "PackageSection": "utils", "PackageVersion": "8.21-1ubuntu5.4", "SHA-1": "F335B669CCB7BA8A2FC8FAF315B1B4BFF9D4217F", "SHA-256": "07995A739DAEBD60297F0E9C2B44DFAB0C735A0FE08FACC097ECE06BB4B9FA0B", "children": ["9799864E326E9DB68121471C6E72EA45152BD2C8", "A880A1F35311A7D34C9B2CA10418BD6EE94EFF58", "3E9FE88BBFE594A701522C2BAF65E209FDF7EFD9", "E03605C7911BF75BE61E54FB922B11DCF1EAAFF9", "181A05F9D249BC99FB684984C631F149CC96990C", "7EF60EF3D83B352ACC9AF996ACDC7BE3DE955705", "C687BCF2FCB74F649163AAB837C15D5800D80B31", "168CA019316332AC0A01472BDF8769801F613DCA", "6645E63EC4411B54287CB0C1321160E44B05FB87", "1989E263AF6ACF6E2869D0B4CF9433E240213C4E", "DEDFD0DA98EA7D07A5B1C7D16EACDCD0154C79B9", "C1A0868024358B0C2F0A2991BD4676B70EBF66F3", "69952AAC37372161F66DA9B07FE0BE5263A9249F", "C03D2998DE9E4332DC91586F00DAC3CA5F4761C3", "E558E7B478FAC50CCACE0E6BE28CAA19FBC74D4E", "08E3AFA387417CB0DA343837D68374A4AB8D915F", "46750D0726DB8D8E4DF870B1060E2414B64164E9", "47A2C7B8518F7E790B097785E25C8E5909AE8A39", "9D8E3FD5BE0D04815F5B0606E94C3B7C29CC8788", "FCAD50919AF0544353E950D1B52E6E2C7B98854B", "CFDE9C955B1E774EF72FB2B4A3E180EADF4CD3D0", "95C37C6826FF0C4E1C17D08285D346EE643343C0", "B35FB1B6DCEC924603F8A86677DBB0D54F5B3C18", "F8592BBAF848DEF6DC26266B15246C50D45C2095", "FF43C49690FF5E5D05CA59D7E66CEEA7E3CE00D0", "903FA7065E10EA3ED8D07598715E7AA73C38BA5A", "64D49DB459A03800399A5BB8CFFE979A604959CF", "688FCF82E39A1C44424FE9F440B69B341FC8B6E2", "0A073CD0BBFB5A33F539003F85E4D90C4CA3F2BD", "C158DC6563C36EA34408E1A36D9786A8CD95FD22", "6ECEBFE6C408316371834A52A037D91EB5BD2A1E", "2411EE623576B90A80AF6B50C47E6186F8AB6308", "2592E88C4FD1BD34207E480AEF99508090370945", "3904F363902225998E2222D67D20D01579461C15", "76FCB8813682CC8697AF1E5C6DDD5FB1DFDEA23C", "D461D21F9994EA40C68651BCA6A6D07F43A551C4", "AEE56A85B66D037EAD8C2D630194C8C46E5C061A", "69AD64E3E922A40EC3372C5DBEE57E8ABE486227", "1348C730C44DF01C0D49DB6084B5736A1D7A3BBC", "E0A97820A852729E236F7524CC23060C7BD7638E", "BF2AAAEDAB78605C43FF12450381C07C15A01D06", "071E525B285AD74B3884F1661D857E8491D2C622", "087204A60FDF211A545A5B8B900F23C0AA118333", "5848386F77B4C60319C68B69C4594E29959381A2", "E19EC3D5E7B9AEC5320CE69FAE5A61EAA7AB2143", "A57FB1F8263E8AA32B36B0D08CDA214E55DE9202", "E8FC405D941E589AA1BAB01E05AD321A049B7775", "A9DB474B1F26FAF5E01B7D545D9CA66269487053", "5E49F9779E165B4EEE965914FECBB8F7D78C59C8", "B90EAF06CF7C6F829B5D671936B59052797F78AC", "90772F507D44570ECDF615B4C232F19FC6DD9D0D", "8025FBA333B4ADCE8EFCAD284541F38C41DA09DE", "F899AA531C826504B9B494C8EA5E4532313210A0", "6AE02146CEC01123843393817D352A805227807D", "3F9E530FB7E8C37E53FFCB1ECF977E00C25F224E", "416FD291494F58795077E5EE064D92329E15DE0E", "9A9A76DA8EC26B5AA3B1F35C434466291424718F", "731D8E470227AC5AAD8432EC123984B9D052B7A0", "EBE777F05B387155604065AD4BED08D2EA3CB8B8", "787ACF5E6A560B4AEB008111F701A730AADF2EC7", "AA6F74DAD038A0DFCD4D64A002482F40BB732F10", "16C68C5BD71D93E06C2D8FC7F0F0F73954C6D7C3", "4AA2F5D8C293531D72137EAE6F71044CD46B5AD7", "99F256008B4847D716492E9763D03D049EEECE6C", "3244B00D11BA9997243A3C2D3108FC915A4BA042", "9C7C38A4B21AACB6DC51AB8A97F6CDE6704ACCB6", "781A6E4FE0CB8167CE423FC476240BDED698D676", "A71230EDAE1E5D354C672E7AB1CE92BC6059EC7C", "ACBD8B51B76889C2F55820E1C32BB26FBF67C441", "7C394AF4519CE500161DEB17857B9C057B7C74B3", "7AB1711D45DB3752B7CBE446D2E0E62D77E75EE3", "8CD8BD2875A68CD5E01F4A071B3F39F5B725B2B6", "D5FF3DB00A37075C07878A718852AFE539C7610D", "1B56B7A2684EB25235DE1708ED1371CD7879540F", "53D8A8EF35DA82BB6118BF9D8BF1ED404FC383C9", "47392375E355F56961CA42E1CFB6B98BBD484D4C", "DCBD08101D550F76DCC1B7507B152734B6F7CE7C", "F8DF08929A667BED6D7086812C319DB522E8292C", "1FB274F0883E0075D398806ACD0FA765F1118C20", "583A638A220E6FD91569F4E263771D4F89F2CC67", "39698F9FA30AE6990ACDF69280B682D90705EC32", "DE762C72E9720DB70C1897C3E0FC9C8C7D160210", "283DD2D206477E4081911F6B83950EE76503EBAD", "A7C8E7F93AE9E86A7836238644274CD73C75F5A7", "A03537A232503853D9D4C30C732CFB5F12913D93", "3F4D980B4870D5A6EB3DF334CA49C5566000C97F", "C028089A484BA0AD0166281B58DEBE0C99E5B4E7", "4A46ECF0336D55076B1C72D2459139F85DF7236C", "DF9C0BDE30B1E2C8FAF8E35CBBD3672C0AE0DFDA", "29E52E423E17C0CE93D38AA8380B0A3AF137BC7E", "BA5FD03FF246DE181DDCAA744DC2AEF4D3711762", "FE7D945A453A276E1CD005AB7A1E177D48C63A86", "DD5A833CD33617F4DCDA0220809D41FA9B1EBFC7", "4017F5B69FBB5064E51A95C856437859BA6CBA83", "427B32F83A3FC5CA0813CBACE975ECA2D6AD918B", "8F16C526AF56EF4369611718463AD4975811DD20", "FC1C867CC2D89C5985C8CB833A3980915AF7E1A1", "EB3FCFD28830CCED7C6BAA04908F574EA4F2A61F", "410D1E55EE08EF6BD7DE39DE80A02981BAF151D1", "988B560C670EDD9E2AEEE6C1D6DE584518CC57F5", "F26ABF496FC9940BB06CD4CEC3D892CF2E426B6A", "22AC7B8CA7324408A18BB95FB55AAE9E5EA85785", "F3E09D476BB01366D740EFF92453AC73C8356F43", "6DD5ACA0C43EF39FD7FFAFEEDE46986985BC84DE", "E38EDB72D805F466556C8BB796EA729CBCC04245", "D6C447B56B702869E9B429A7B47E1CE3B57BED9A", "64E23452FA980EB5DD1D4375071CB6124CF9B196", "7883EB75715603F1B89449BE617F91C65698DF38", "C328540F2D947D50EF02AC958C0DCDB51CCA0DD0", "2AC91E34FE455B026B537EA8FBA86E69E251CEE4", "672D844C60553F9B3DB9844DC29DDF49BC426F45", "EDB7ED42160C95BA2C9DD4C1E87577BD85DFE5FB", "6F4DF90B509C9392A180D7C76BB0058D4C44A4BD", "1C75F8FAF710C17B87DFD75D8390F2F2F7AF6400", "C02435F5BE0DB85C12B47E33644322631CBE7CCA", "B0C07FAC1BA571EC3054D79C40181D99CB4D01ED", "CA0B3EBCD75D8799863ADDB66E9BD378A3B88F8E", "521E4CC97D2372F821F75DB03A26938F923C002C", "CFE1C6F349F1F0611CFD3B6DD0E60EB135D7D798", "DFC1F4C951F6E09B6CFCA69127BE483279A9B5F9", "6E957B4561B081DA16886751D729170975D860BE", "A570E581D7E1D5308E88154967C3BDE3593DA50D", "99CCB36AE5BA1B6EF528C3477CDB1185744C8DA7", "A07770FC93BAA888407523BB58EE9CE97C94DB02", "56035A58036F19A2C9D312BF2730C7F970B380CA", "2C3D857765A05AF072146796B07D6A063C0B7224", "4BD3020D460E50386297CE14F9AD85B7278F9A73", "7F8BF064B328BE934582341857413CE7A387CB81", "403645FFD3A5B16F3E558947C1854FAC180C1E92", "CC125B501A779D230063BA38A7BDEB93041D82D3", "9FC7AE958DAB28FE8B6466555BDFF954BE0EC2E7", "BAE0BFB8B27FC8806194C299435AD578BC93731A", "D357E7C22254E182377A57350BB9EC870B677B32", "9C3290446A139A29D000D920E83AE5ABA264C89A", "D3582A8EF775B8E3FB4771B7B6762FBF388C131E", "DBC34938767985B8C06471483D794A1ED91529A8", "23BEFDFDBD4FDE0052EE71D6E5561F2756C85F91", "53360CB53781CACC39BED7A4484A9B8AF7D356F4", "3E98B06F33CBB14590231B74BBC277418605BE21", "C41D8DEADD83B2FFDE06CD517452A680A87A44F3", "5942742E2461BF2646FDFA48C44F1BFDE7EC37EB", "D74E21CA765F9B05DE6535799A68DCA14DE3036B", "70090B7400AC6E18BE5E1C05FB6C0EC19EBB2B5A", "AF5BE22C07A95E8D7464415A5B988D7B46F34018", "24E177F4DDB835CBA8A12F9E1372E2338A2891E9", "D805D555362790B465829C15296CC9382898FAAC", "543D2D3AA93FAC487EAD738460539FB6EC9D8D52", "B20FEC67D2246000FD86FA211DD40CAAECCEB9AD", "7A806948FE658A5BAC29A0F5CA3710533D848565", "DC949A8C7FA9FEE929930B6FB599BC82F8DC4C5A", "55DBEAFBD6A4CA81E110CF0213051C11006AC4C9", "844D6D1DB5060B26976F07C66F2F8AAD2E455F65", "E7DAF9F24A6B790F157203235278CE3F4208CB45", "B32B2AC7FFE8F658378ECA63DCA037C64A867C95", "4326E056CE3813801B5DA2848248840D2E317C94", "CEC087401C965D8AF9D4DCFBDED5AD305C86697D", "EDF9B4EABA52E2A5570D936AD74C142E3CCE1CE8", "C04C8D4891153FAF0CF8E27CBC31A556862AB783", "47073CD75ED4721EEB6FF29C52D5D871771C57A4", "BEC391C559DAE7FFC0B5D90EA7CA65028AA1D16E", "5A11AC51F28545D7965990027CA63F28C410A51A", "66F6BE00855E7A2CB618F52C99F795A055534911", "75C44CAD971780BDCE8CE499F7ED7CA235985EC5", "87AA6E1E92AA2552DC6E431E88C22774E565F14E", "21C0A42179BF4A6C2E58DDF1A1BF58C668830A50", "8AF3BAAD4074A5267E6E7D8D77D0F0B0AADFEFC4", "5B74838880C11A9FEF94FDA3964DD6BA53F812E7", "F5C5CF75A119FF8818283B9CC932217888CDC8A9", "1056EBBFBBBF2E51BCB8A48FF8038CF66095F63A", "55016AD7A449B91A5DBE59308BDD3E84261A8FF9", "F0BC5D070A82BBCD1749EBE219671FEEEAEDAED6", "3884371FFF88B50CB05D50549A1A3C106017862C", "5EEC0C5A87A28238955970C668BA4DD733A27380", "56A361D047DB9C25736638CA6C8DE5D8F5AC4A1D", "7AD82880980897DE4B9E08DFC62E7E378426F91B", "3F3AACED5AAD06D9591F9B4EDC8DA1D87CF608E4", "21E08482B1CD04B02D37FA6AC4D8B562E684E52A", "9E3B379E28C7C00AE175F23F63555EA2111D4447", "B0E6C075C30FE3F28649AF644B5BD54A4CBDC509", "B9BFA0260EA37824C42047C3EC80C83A2BEBFAC8", "DA1AE2BDBE1281B7D4E3E10D828FC370BD12572A", "3988BFCAA09F78083C23996B9D049269CF088CF2", "C2BEBF667833B55C5495753657C469AD07332007", "3E4FDE8DECFD58B5273B2B72A5D2D67804AAB27C", "3468D6009DA54AF9C6BF3E78D058D87886C9C6D2", "A6817340664ACE9688B4E9399A08024788AC03D7", "4FEC0C2432C2DF1EF03A8A63CE346179FCF3D1E4", "AB304FDC233C801E3D4129896F49A04D0F33C7E7", "B18D970EC65694033FD489FFE297ABAB9B391EC9", "8898C5F7E6CD1A1534080CB6D96003CBF0E0B5F7", "74D1EE107C5C63D4ADF5C1902F4EBD56EC1A7669", "084051009844302F09B1D5D48C2BA73F54BC8FB1", "250D7DA9FDED702FC1B3A127756367841CD851C6", "45B47C75BFE354E4DA4E6B101E4426634E56A927", "BA971742ACBB679EB80C20D0942C9F95D6BD6B7C", "861C814423F49B97077D4910FAB0C02D54EAB4B1", "44B78AF79C57BD5235883D15EC3106F96A2A5AA9", "BCF5A7EB0FD6362BB317BA69D7925002C7E1E3BE", "E0878F0243391A4537E0DF1652BE8D506FA749D1", "134A47F790EE082AB9A7E2503F01B0C164D777E8", "9352FF68CF7B5E73E7434BF138AFC2E17FB4545B", "3E6791CD56A48FABC6F637BE11D234E8068EF91F", "6F6A5B2A733ADBBB1100C44233DFBD3C5D00E4EA", "BB7E54487E24D3778C2C0EAB965AA421EA9D4D0F", "B7A599586D2BD1B69C69EB0862BC665DAAD9FC61", "2B129FA27E458F767898FD152EB65047B65238FE", "4D34641032551FBEBFFDAF751B707B90F9570C4D", "912A4B72F98C0EBEF5C235A55F49BA5EC5E463D9", "32D82E8E9873FEA2613B882461C58E13AB6BE52B", "F0C41EB583D4B17416DD70F1079E6FDEACE144FD", "014D78C0ECB1ED495D12E4FA0DA9C7A6A953945F", "4E492E947E446DF5D4B19AAB08664D65A3E604AE"]}
</artwork>
</section>
</section>
</section>
<section anchor="implementation"><name>Implementation</name>
<t>A public hashlookup service <xref target="HASHLOOKUP-SERVICE"></xref> is provided by CIRCL and accessible as a ReST HTTP API. A software back-end implementation which produces a hashlookup format output is available <xref target="HASHLOOKUP-SERVER"></xref>. Commercial implementation such as <xref target="METALOOKUP-SERVICE"></xref> provides a compatible interface with the hashlookup format. The hashlookup project <xref target="HASHLOOKUP-IO"></xref> provides an umbrella for all the related open source projects using hashlookup format.</t>
</section>
<section anchor="security-considerations"><name>Security Considerations</name>
<t>hashlookup results events might contain sensitive or confidential information. Adequate
access control and encrypted transport layer shall be implemented to ensure
the confidentiality of the hashlookup results.</t>
<t>hashlookup results don't imply a specific assumption concerning the maliciousness or non-maliciousness
of a file. hashlookup only provides the information about the presence of a file in a specific set, known source or database.</t>
</section>
<section anchor="acknowledgements"><name>Acknowledgements</name>
<t>The authors wish to thank all the users of the CIRCL hashlookup services for their feedback.</t>
</section>
<section anchor="references"><name>References</name>
</section>
</middle>
<back>
<references><name>Normative References</name>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8259.xml"/>
</references>
<references><name>Informative References</name>
<reference anchor="HASHLOOKUP-IO" target="https://www.hashlookup.io/">
<front>
<title>hashlookup project - Open source tools and standards to lookup known files</title>
<author fullname="hashlookup.io" surname="hashlookup project"></author>
<date></date>
</front>
</reference>
<reference anchor="HASHLOOKUP-SERVER" target="https://github.com/adulau/hashlookup-server">
<front>
<title>hashlookup-server is a minimal and fast open source server (ReST/API) to lookup quickly hash value from large dataset.</title>
<author fullname="Alexandre Dulaunoy" initials="A." surname="Dulaunoy"></author>
<date></date>
</front>
</reference>
<reference anchor="HASHLOOKUP-SERVICE" target="https://www.circl.lu/services/hashlookup/">
<front>
<title>CIRCL hash lookup is a public API to lookup hash values against known database of files.</title>
<author fullname="CIRCL.LU" surname="CIRCL"></author>
<date></date>
</front>
</reference>
<reference anchor="METALOOKUP-SERVICE" target="https://www.metalookup.com/">
<front>
<title>Metalookup is a large database of hash values and meta information about published software. Metalookup provides a fast-lookup API to quickly check forensic evidences.</title>
<author fullname="Metalookup service operated by miwakeru.com" surname="Metalookup service"></author>
<date></date>
</front>
</reference>
<reference anchor="NSRL-RDS" target="https://www.nist.gov/system/files/data-formats-of-the-nsrl-reference-data-set-16.pdf">
<front>
<title>Data Formats of the NSRL Reference Data Set (RDS) Distribution</title>
<author fullname="NIST.gov" surname="NIST"></author>
<date></date>
</front>
</reference>
</references>
</back>
</rfc>