[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Standardized Forensics Training for the Corporate World...
From: |
Dave Dittrich |
Subject: |
Re: Standardized Forensics Training for the Corporate World... |
Date: |
Sun, 12 Nov 2000 14:13:10 -0800 (PST) |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kevin,
> Most companies I know of that do forensics developed their own
> proprietary tools that they do not share.
Too bad for them. ;)
> I recently visited a company
> that rewrote dd to perform automatic checksums (not hard, but a good
> idea), and they will not share it.
"Not hard" is right (unless I missed something). I patched the GNU
fileutils-4.0 version of "dd" to add MD5 checksums as it reads records
in, and *I'll* share it (in fact I'm copying the GNU fileutils folks
in case they want to include this feature in dd.) I'm using the
reference MD5 code as found on CIAC's web site.
Here is a successful test run (using "md5sum" as a sanity check):
# ./dd --checksum ibs=1024 if=/dev/hda1 count=1 of=testblock1
f467fe37db0472d5292f48a8f6230ce8 [1]
1+0 records in
2+0 records out
# ./dd --checksum ibs=1024 if=/dev/hda1 skip=1 count=1 of=testblock2
8cd94ab1806f33454ef44f2770b11ddc [2]
1+0 records in
2+0 records out
# ./dd --checksum ibs=1024 if=/dev/hda1 skip=2 count=1 of=testblock3
878c64420094b9d25a650a865b380b22 [3]
1+0 records in
2+0 records out
# md5sum testblock?
f467fe37db0472d5292f48a8f6230ce8 testblock1
8cd94ab1806f33454ef44f2770b11ddc testblock2
878c64420094b9d25a650a865b380b22 testblock3
If anyone else can find any bugs, please let me know. I'm writing
checksums to stdout. I'm assuming that you want to produce checksums on
reading each record. I'm not sure if the result will be right if dd
only does partial record reads/writes, but this test case seems to work
properly when the blocks are checksummed individually. (The mismatched
in/out record counts might be a bug in dd? I haven't looked into that.)
Attached are the differences and files you need to add to
fileutils-4.0. Use it like this (after obtaining first
obtaining ftp://prep.ai.mit.edu:pub/gnu/fileutils/fileutils-4.0.tar.gz):
# tar -xzf fileutils-4.0.tar.gz
# cd fileutils-4.0
# tar -xvf ../fileutils-4.0a.diffs.tar
fileutils-4.0.diff
src/global.h
src/md5c.c
src/md5.h
# patch -p1 <fileutils-4.0.diff
patching file `src/Makefile.in'
patching file `src/dd.c'
# ./configure
. . .
# make
If you want the already-patched source, I stuck it at:
http://staff.washington.edu/dittrich/misc/fileutils-4.0a.tgz
e5279254ac4a464a26470c926280aae4 fileutils-4.0a.tgz
Now can someone on the list explain some good ways in which this feature
would be used?
- --
Dave Dittrich Computing & Communications
address@hidden Client Services
http://staff.washington.edu/dittrich University of Washington
PGP key http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
Filter: gpg4pine 4.1 (http://azzie.robotics.net)
iQA/AwUBOg8WDo4M0L7IOMy1EQKiagCg9Yq9FVmn9OeD6Tjt+FaZTm1tIsQAoLej
Luh50IG1hxV8kJnsubPqaenb
=Ni5M
-----END PGP SIGNATURE-----
fileutils-4.0a.diffs.tar
Description: Unix tar archive
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: Standardized Forensics Training for the Corporate World...,
Dave Dittrich <=