Difference between revisions of "Forensic Disk Differencing"

From ForensicsWiki
Jump to: navigation, search
m (Created page with 'Forensic Disk Differencing is the process of taking two or more disk images from the same computer and determining what changes in the first disk image might have resulted in the…')
 
m (idifference.py)
Line 8: Line 8:
  
 
<pre>
 
<pre>
$ python idifference.py /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen1.raw /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen2.raw  
+
$ python idifference.py /nps-2009-canon2-gen2.raw nps-2009-canon2-gen3.raw  
>>> Reading /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen1.raw
+
 
>>> Reading /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen2.raw
 
>>> Reading /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen2.raw
 +
>>> Reading /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen3.raw
  
  
Disk image:/corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen2.raw  
+
Disk image:/corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen3.raw  
  
  
 
New Files:  
 
New Files:  
  
2008-12-23 14:22:04 180 DCIM/CANONMSC/M0100.CTG
+
2008-12-23 14:26:12 1315993 DCIM/100CANON/IMG_0041.JPG
2008-12-23 14:22:38 1347778 DCIM/100CANON/IMG_0037.JPG
+
2008-12-23 14:22:46 1296150 DCIM/100CANON/IMG_0038.JPG
+
2008-12-23 14:22:54 1440506 DCIM/100CANON/IMG_0039.JPG
+
2008-12-23 14:23:00 1451033 DCIM/100CANON/IMG_0040.JPG
+
  
 
Deleted Files:  
 
Deleted Files:  
  
2008-12-23 14:13:02 836531 DCIM/100CANON/IMG_0005.JPG
+
2008-12-23 14:12:38 855935 DCIM/100CANON/IMG_0001.JPG
2008-12-23 14:13:26 853643 DCIM/100CANON/IMG_0010.JPG
+
2008-12-23 14:22:38 1347778 DCIM/100CANON/IMG_0037.JPG
2008-12-23 14:13:52 821758 DCIM/100CANON/IMG_0015.JPG
+
2008-12-23 14:14:16 883127 DCIM/100CANON/IMG_0020.JPG
+
2008-12-23 14:14:40 791333 DCIM/100CANON/IMG_0025.JPG
+
2008-12-23 14:15:02 867833 DCIM/100CANON/IMG_0030.JPG
+
2008-12-23 14:15:28 820105 DCIM/100CANON/IMG_0035.JPG
+
  
 
Files with modified content (but size unchanged):  
 
Files with modified content (but size unchanged):  
Line 39: Line 30:
 
Files with changed file properties:  
 
Files with changed file properties:  
  
 +
DCIM/CANONMSC/M0100.CTG SHA1 changed 69b30c352ee802f49b1ea25325af9fa05c3ffca1 -> baa42c03a917b01b212fb7e538e5deb525995f31
 +
DCIM/CANONMSC/M0100.CTG crtime changed to 1230070924 -> 1230071142
 +
DCIM/CANONMSC/M0100.CTG mtime changed to 1230070924 -> 1230071142
 +
DCIM/CANONMSC/M0100.CTG resized 180 -> 188
  
 
Timeline  
 
Timeline  
  
 +
2008-12-23 14:25:42 DCIM/CANONMSC/M0100.CTG SHA1 changed 69b30c352ee802f49b1ea25325af9fa05c3ffca1 -> baa42c03a917b01b212fb7e538e5deb525995f31
 +
2008-12-23 14:25:42 DCIM/CANONMSC/M0100.CTG crtime changed 1230070924 -> 1230071142
 +
2008-12-23 14:25:42 DCIM/CANONMSC/M0100.CTG mtime changed 1230070924 -> 1230071142
 +
2008-12-23 14:25:42 DCIM/CANONMSC/M0100.CTG resized 180 -> 188
 +
$
 
</pre>
 
</pre>
  
 +
Sometimes inode change times is not available for all of the files:
 
<pre>
 
<pre>
$ python idifference.py /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen2.raw /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen3.raw  
+
$ python idifference.py /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen1.raw /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen2.raw  
 +
>>> Reading /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen1.raw
 
>>> Reading /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen2.raw
 
>>> Reading /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen2.raw
>>> Reading /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen3.raw
 
  
  
Disk image:/corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen3.raw  
+
Disk image:/corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen2.raw  
  
  
 
New Files:  
 
New Files:  
  
2008-12-23 14:26:12 1315993 DCIM/100CANON/IMG_0041.JPG
+
2008-12-23 14:22:04 180 DCIM/CANONMSC/M0100.CTG
 +
2008-12-23 14:22:38 1347778 DCIM/100CANON/IMG_0037.JPG
 +
2008-12-23 14:22:46 1296150 DCIM/100CANON/IMG_0038.JPG
 +
2008-12-23 14:22:54 1440506 DCIM/100CANON/IMG_0039.JPG
 +
2008-12-23 14:23:00 1451033 DCIM/100CANON/IMG_0040.JPG
  
 
Deleted Files:  
 
Deleted Files:  
  
2008-12-23 14:12:38 855935 DCIM/100CANON/IMG_0001.JPG
+
2008-12-23 14:13:02 836531 DCIM/100CANON/IMG_0005.JPG
2008-12-23 14:22:38 1347778 DCIM/100CANON/IMG_0037.JPG
+
2008-12-23 14:13:26 853643 DCIM/100CANON/IMG_0010.JPG
 +
2008-12-23 14:13:52 821758 DCIM/100CANON/IMG_0015.JPG
 +
2008-12-23 14:14:16 883127 DCIM/100CANON/IMG_0020.JPG
 +
2008-12-23 14:14:40 791333 DCIM/100CANON/IMG_0025.JPG
 +
2008-12-23 14:15:02 867833 DCIM/100CANON/IMG_0030.JPG
 +
2008-12-23 14:15:28 820105 DCIM/100CANON/IMG_0035.JPG
  
 
Files with modified content (but size unchanged):  
 
Files with modified content (but size unchanged):  
Line 67: Line 77:
 
Files with changed file properties:  
 
Files with changed file properties:  
  
DCIM/CANONMSC/M0100.CTG SHA1 changed 69b30c352ee802f49b1ea25325af9fa05c3ffca1 -> baa42c03a917b01b212fb7e538e5deb525995f31
 
DCIM/CANONMSC/M0100.CTG crtime changed to 1230070924 -> 1230071142
 
DCIM/CANONMSC/M0100.CTG mtime changed to 1230070924 -> 1230071142
 
DCIM/CANONMSC/M0100.CTG resized 180 -> 188
 
  
 
Timeline  
 
Timeline  
  
2008-12-23 14:25:42 DCIM/CANONMSC/M0100.CTG SHA1 changed 69b30c352ee802f49b1ea25325af9fa05c3ffca1 -> baa42c03a917b01b212fb7e538e5deb525995f31
 
2008-12-23 14:25:42 DCIM/CANONMSC/M0100.CTG crtime changed 1230070924 -> 1230071142
 
2008-12-23 14:25:42 DCIM/CANONMSC/M0100.CTG mtime changed 1230070924 -> 1230071142
 
2008-12-23 14:25:42 DCIM/CANONMSC/M0100.CTG resized 180 -> 188
 
$
 
 
</pre>
 
</pre>

Revision as of 14:32, 29 May 2010

Forensic Disk Differencing is the process of taking two or more disk images from the same computer and determining what changes in the first disk image might have resulted in the changes that are observed in the second. One common use of differencing is to determine what an attacker did during a break-in. To be used for this purpose, it is necessary to have a forensic disk image of the computer before the break-in and after the break-in.

Differencing Tools

idifference.py

idifference.py is part of the Digital Forensics XML Python Toolkit distributed with fiwalk. This tool will compare two different disk images and report changes in files between the first and the second. It also produces a timeline of changes.

For example, using the nps-2009-canon2 series of disk images:

$ python idifference.py /nps-2009-canon2-gen2.raw nps-2009-canon2-gen3.raw 
>>> Reading /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen2.raw
>>> Reading /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen3.raw


Disk image:/corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen3.raw 


New Files: 

2008-12-23 14:26:12	1315993	DCIM/100CANON/IMG_0041.JPG

Deleted Files: 

2008-12-23 14:12:38	855935	DCIM/100CANON/IMG_0001.JPG
2008-12-23 14:22:38	1347778	DCIM/100CANON/IMG_0037.JPG

Files with modified content (but size unchanged): 


Files with changed file properties: 

DCIM/CANONMSC/M0100.CTG	SHA1 changed	69b30c352ee802f49b1ea25325af9fa05c3ffca1	->	baa42c03a917b01b212fb7e538e5deb525995f31
DCIM/CANONMSC/M0100.CTG	crtime changed to	1230070924	->	1230071142
DCIM/CANONMSC/M0100.CTG	mtime changed to	1230070924	->	1230071142
DCIM/CANONMSC/M0100.CTG	resized	180	->	188

Timeline 

2008-12-23 14:25:42	DCIM/CANONMSC/M0100.CTG	SHA1 changed	69b30c352ee802f49b1ea25325af9fa05c3ffca1	->	baa42c03a917b01b212fb7e538e5deb525995f31
2008-12-23 14:25:42	DCIM/CANONMSC/M0100.CTG	crtime changed	1230070924	->	1230071142
2008-12-23 14:25:42	DCIM/CANONMSC/M0100.CTG	mtime changed	1230070924	->	1230071142
2008-12-23 14:25:42	DCIM/CANONMSC/M0100.CTG	resized	180	->	188
$

Sometimes inode change times is not available for all of the files:

$ python idifference.py /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen1.raw /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen2.raw 
>>> Reading /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen1.raw
>>> Reading /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen2.raw


Disk image:/corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen2.raw 


New Files: 

2008-12-23 14:22:04	180	DCIM/CANONMSC/M0100.CTG
2008-12-23 14:22:38	1347778	DCIM/100CANON/IMG_0037.JPG
2008-12-23 14:22:46	1296150	DCIM/100CANON/IMG_0038.JPG
2008-12-23 14:22:54	1440506	DCIM/100CANON/IMG_0039.JPG
2008-12-23 14:23:00	1451033	DCIM/100CANON/IMG_0040.JPG

Deleted Files: 

2008-12-23 14:13:02	836531	DCIM/100CANON/IMG_0005.JPG
2008-12-23 14:13:26	853643	DCIM/100CANON/IMG_0010.JPG
2008-12-23 14:13:52	821758	DCIM/100CANON/IMG_0015.JPG
2008-12-23 14:14:16	883127	DCIM/100CANON/IMG_0020.JPG
2008-12-23 14:14:40	791333	DCIM/100CANON/IMG_0025.JPG
2008-12-23 14:15:02	867833	DCIM/100CANON/IMG_0030.JPG
2008-12-23 14:15:28	820105	DCIM/100CANON/IMG_0035.JPG

Files with modified content (but size unchanged): 


Files with changed file properties: 


Timeline