0

I am trying to develop unique ID (or some magic attribute) of PE file. By the help of which we can calculate (or track) any information of that file(without disturbing that file) like file size or address of entry point or machine code or is file 32 bit or 64 bit or any field in PE header.

I had tried by calculating the MD5 of PE file and store the log with all information of that file like file path , size (as above). But that is to heavy or costly.

How to find such ID or is there any ID by which we can track information of file?

  • The cost is in reading the files, not in calculating a hash. You can't magically optimize reading files, making it faster requires better hardware. Only way to get ahead without spending dollars is to never wait for it. – Hans Passant Oct 23 '15 at 22:22
  • The SANS institute for computer forensics uses MD5 hashes and has [clarified in a blog post in 2009 why MD5 is still sufficient even there are collision issues](https://digital-forensics.sans.org/blog/2009/01/07/law-is-not-a-science-admissibility-of-computer-evidence-and-md5-hashes/) because a collision is not critical and evidence has to be provided to the court by other means. [VirusTotal](https://www.virustotal.com) uses SHA256. This provides less collisions and since there is no other evidence involved, it's a good idea. So it depends on which hash sources you want to use. Tip: use both. – Thomas Weller Oct 27 '15 at 21:25

0 Answers0