bug-fileutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Standardized Forensics Training for the Corporate World...


From: Dave Dittrich
Subject: Re: Standardized Forensics Training for the Corporate World...
Date: Sun, 12 Nov 2000 14:13:10 -0800 (PST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kevin,

> Most companies I know of that do forensics developed their own
> proprietary tools that they do not share.

Too bad for them. ;)

> I recently visited a company
> that rewrote dd to perform automatic checksums (not hard, but a good
> idea), and they will not share it.

"Not hard" is right (unless I missed something).  I patched the GNU
fileutils-4.0 version of "dd" to add MD5 checksums as it reads records
in, and *I'll* share it (in fact I'm copying the GNU fileutils folks
in case they want to include this feature in dd.)  I'm using the
reference MD5 code as found on CIAC's web site.

Here is a successful test run (using "md5sum" as a sanity check):

# ./dd --checksum ibs=1024 if=/dev/hda1 count=1 of=testblock1
f467fe37db0472d5292f48a8f6230ce8  [1]
1+0 records in
2+0 records out
# ./dd --checksum ibs=1024 if=/dev/hda1 skip=1 count=1 of=testblock2
8cd94ab1806f33454ef44f2770b11ddc  [2]
1+0 records in
2+0 records out
# ./dd --checksum ibs=1024 if=/dev/hda1 skip=2 count=1 of=testblock3
878c64420094b9d25a650a865b380b22  [3]
1+0 records in
2+0 records out
# md5sum testblock?
f467fe37db0472d5292f48a8f6230ce8  testblock1
8cd94ab1806f33454ef44f2770b11ddc  testblock2
878c64420094b9d25a650a865b380b22  testblock3

If anyone else can find any bugs, please let me know.  I'm writing
checksums to stdout.  I'm assuming that you want to produce checksums on
reading each record.  I'm not sure if the result will be right if dd
only does partial record reads/writes, but this test case seems to work
properly when the blocks are checksummed individually.  (The mismatched
in/out record counts might be a bug in dd?  I haven't looked into that.)

Attached are the differences and files you need to add to
fileutils-4.0.  Use it like this (after obtaining first
obtaining ftp://prep.ai.mit.edu:pub/gnu/fileutils/fileutils-4.0.tar.gz):

# tar -xzf fileutils-4.0.tar.gz
# cd fileutils-4.0
# tar -xvf ../fileutils-4.0a.diffs.tar
fileutils-4.0.diff
src/global.h
src/md5c.c
src/md5.h
# patch -p1 <fileutils-4.0.diff
patching file `src/Makefile.in'
patching file `src/dd.c'
# ./configure
 . . .
# make

If you want the already-patched source, I stuck it at:

        http://staff.washington.edu/dittrich/misc/fileutils-4.0a.tgz

e5279254ac4a464a26470c926280aae4  fileutils-4.0a.tgz

Now can someone on the list explain some good ways in which this feature
would be used?

- --
Dave Dittrich                           Computing & Communications
address@hidden             Client Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
Filter: gpg4pine 4.1 (http://azzie.robotics.net)

iQA/AwUBOg8WDo4M0L7IOMy1EQKiagCg9Yq9FVmn9OeD6Tjt+FaZTm1tIsQAoLej
Luh50IG1hxV8kJnsubPqaenb
=Ni5M
-----END PGP SIGNATURE-----

Attachment: fileutils-4.0a.diffs.tar
Description: Unix tar archive


reply via email to

[Prev in Thread] Current Thread [Next in Thread]