Thursday, December 6, 2012
Backtrack Forensics: Hashes
In Backtrack Forensic module we have 6 applications available to compute hashes:
md5deep - Compute and compare MD5 message digests
sha1deep - Compute and compare SHA-1 message digests
sha256deep - Compute and compare SHA-256 message digests
tigerdeep - Compute and compare Tiger message digests
whirlpooldeep - Compute and compare Whirlpool message digests
hashdeep - which is the combination of the above
All of these tools can calculate the given digest of a file, or of a directory, and recursively for all files in it, or even of an entire drive. The syntax is the same for all of the apps.
Examples for runs:
Calculate the hash for all files in the /root/assembly directory, and direct the output to md5hash.txt:
root@bt:~# md5deep -e -r /root/assembly/ > md5hash.txt
root@bt:~# cat md5hash.txt
3d60d85d993892ac6a2005dcecb7de77 /root/assembly/Function3.s
9e0266c8fb62950d0dddb1ad261ce6f0 /root/assembly/Shell
5e9bf2d710fd3b57fa7c41ec2c41255c /root/assembly/Shell.o
Check if "Shell.o" has a non-matching hash in the file:
root@bt:~# md5deep -x md5hash.txt /root/assembly/Shell.o
Check if "Shell.o" has a matching hash in the file:
root@bt:~# md5deep -m md5hash.txt /root/assembly/Shell.o
/root/assembly/Shell.o
Check if files in "/root/assembly" directory has a non-matching hash in the file:
root@bt:~# md5deep -x md5hash.txt -r /root/assembly
Check if files in "/root/assembly" directory has a matching hash in the file:
root@bt:~# md5deep -m md5hash.txt -r /root/assembly
/root/assembly/Function3.s
/root/assembly/Shell
/root/assembly/Shell.o
Labels:
backtrack 5,
forensics
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment