Senin, 08 Agustus 2005

Using md5deep

Thank you to Harlan Carvey for reminding me of Jesse Kornblum's md5deep. md5deep is a suite of tools to recursively compute a variety of hashes. It is not limited to the MD5 algorithm. In the example below I run the sha256deep tool to provide sha256 hashes of various files. The -r flag initializes recursive behavior, and -z says display file size before the hash.


bourque:/home/analyst$ sha256deep -r -e -z *

93506 1a6da6a2a849eb27fb7522939afab63ec59bcdb9412c2460fe611543b573d95f
/home/analyst/2005-041-santini_air/sample

111 43450978e07f87dfbc4918fec928209c54f4d5804367960fbde617e71ee50985
/home/analyst/2005-041-santini_air/sample.sha256

209.180.018.089.02001-156.023...: 391MB of 1405MB done, 00:01:22 left

The last entry shows sha256deep is busy computing the hash for a 1405 MB file. By passing the -e flag, I told the program to estimate time until hash completion. This is useful for processing large files. The resulting hash is eventually shown below.

1473577526 3f4eb24ae943dba4bdb1126540d309854824ac64ff6f288020c9c2bdc4793de9
/home/analyst/2005-041-santini_air/209.180.018.089.02001-156.023.170.238.02001

md5deep and related tools simplify maintaining forensic evidence as the program can rapidly produce hashes in an investigator-friendly format. There's also a FreeBSD port. For forensic applications, you would save the hashes to a file instead of standard output.

0 komentar:

Posting Komentar