Difference between revisions of "Forensic Disk Differencing"

From Forensics Wiki
Jump to: navigation, search
m (idifference.py)
m (idifference.py)
Line 9: Line 9:
 
<pre>
 
<pre>
 
$ python idifference.py /nps-2009-canon2-gen2.raw nps-2009-canon2-gen3.raw  
 
$ python idifference.py /nps-2009-canon2-gen2.raw nps-2009-canon2-gen3.raw  
>>> Reading /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen2.raw
+
>>> Reading nps-2009-canon2-gen2.raw
>>> Reading /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen3.raw
+
>>> Reading nps-2009-canon2-gen3.raw
 
+
  
 
Disk image:/corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen3.raw  
 
Disk image:/corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen3.raw  
 
  
 
New Files:  
 
New Files:  
Line 26: Line 24:
  
 
Files with modified content (but size unchanged):  
 
Files with modified content (but size unchanged):  
 
  
 
Files with changed file properties:  
 
Files with changed file properties:  
Line 41: Line 38:
 
2008-12-23 14:25:42 DCIM/CANONMSC/M0100.CTG mtime changed 1230070924 -> 1230071142
 
2008-12-23 14:25:42 DCIM/CANONMSC/M0100.CTG mtime changed 1230070924 -> 1230071142
 
2008-12-23 14:25:42 DCIM/CANONMSC/M0100.CTG resized 180 -> 188
 
2008-12-23 14:25:42 DCIM/CANONMSC/M0100.CTG resized 180 -> 188
 +
2008-12-23 14:26:12 DCIM/100CANON/IMG_0041.JPG created
 
$
 
$
 
</pre>
 
</pre>
  
Sometimes inode change times is not available for all of the files:
+
If files are only added or deleted,  inode change times is not available for all of the files:
 
<pre>
 
<pre>
$ python idifference.py /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen1.raw /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen2.raw  
+
$ python idifference.py nps-2009-canon2-gen1.raw nps-2009-canon2-gen2.raw  
 
>>> Reading /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen1.raw
 
>>> Reading /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen1.raw
 
>>> Reading /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen2.raw
 
>>> Reading /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen2.raw

Revision as of 13:35, 29 May 2010

Forensic Disk Differencing is the process of taking two or more disk images from the same computer and determining what changes in the first disk image might have resulted in the changes that are observed in the second. One common use of differencing is to determine what an attacker did during a break-in. To be used for this purpose, it is necessary to have a forensic disk image of the computer before the break-in and after the break-in.

Differencing Tools

idifference.py

idifference.py is part of the Digital Forensics XML Python Toolkit distributed with fiwalk. This tool will compare two different disk images and report changes in files between the first and the second. It also produces a timeline of changes.

For example, using the nps-2009-canon2 series of disk images: 

$ python idifference.py /nps-2009-canon2-gen2.raw nps-2009-canon2-gen3.raw 
>>> Reading nps-2009-canon2-gen2.raw
>>> Reading nps-2009-canon2-gen3.raw

Disk image:/corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen3.raw 

New Files: 

2008-12-23 14:26:12	1315993	DCIM/100CANON/IMG_0041.JPG

Deleted Files: 

2008-12-23 14:12:38	855935	DCIM/100CANON/IMG_0001.JPG
2008-12-23 14:22:38	1347778	DCIM/100CANON/IMG_0037.JPG

Files with modified content (but size unchanged): 

Files with changed file properties: 

DCIM/CANONMSC/M0100.CTG	SHA1 changed	69b30c352ee802f49b1ea25325af9fa05c3ffca1	->	baa42c03a917b01b212fb7e538e5deb525995f31
DCIM/CANONMSC/M0100.CTG	crtime changed to	1230070924	->	1230071142
DCIM/CANONMSC/M0100.CTG	mtime changed to	1230070924	->	1230071142
DCIM/CANONMSC/M0100.CTG	resized	180	->	188

Timeline 

2008-12-23 14:25:42	DCIM/CANONMSC/M0100.CTG	SHA1 changed	69b30c352ee802f49b1ea25325af9fa05c3ffca1	->	baa42c03a917b01b212fb7e538e5deb525995f31
2008-12-23 14:25:42	DCIM/CANONMSC/M0100.CTG	crtime changed	1230070924	->	1230071142
2008-12-23 14:25:42	DCIM/CANONMSC/M0100.CTG	mtime changed	1230070924	->	1230071142
2008-12-23 14:25:42	DCIM/CANONMSC/M0100.CTG	resized	180	->	188
2008-12-23 14:26:12	DCIM/100CANON/IMG_0041.JPG	created
$

If files are only added or deleted, inode change times is not available for all of the files: 

$ python idifference.py nps-2009-canon2-gen1.raw nps-2009-canon2-gen2.raw 
>>> Reading /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen1.raw
>>> Reading /corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen2.raw


Disk image:/corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen2.raw 


New Files: 

2008-12-23 14:22:04	180	DCIM/CANONMSC/M0100.CTG
2008-12-23 14:22:38	1347778	DCIM/100CANON/IMG_0037.JPG
2008-12-23 14:22:46	1296150	DCIM/100CANON/IMG_0038.JPG
2008-12-23 14:22:54	1440506	DCIM/100CANON/IMG_0039.JPG
2008-12-23 14:23:00	1451033	DCIM/100CANON/IMG_0040.JPG

Deleted Files: 

2008-12-23 14:13:02	836531	DCIM/100CANON/IMG_0005.JPG
2008-12-23 14:13:26	853643	DCIM/100CANON/IMG_0010.JPG
2008-12-23 14:13:52	821758	DCIM/100CANON/IMG_0015.JPG
2008-12-23 14:14:16	883127	DCIM/100CANON/IMG_0020.JPG
2008-12-23 14:14:40	791333	DCIM/100CANON/IMG_0025.JPG
2008-12-23 14:15:02	867833	DCIM/100CANON/IMG_0030.JPG
2008-12-23 14:15:28	820105	DCIM/100CANON/IMG_0035.JPG

Files with modified content (but size unchanged): 


Files with changed file properties: 


Timeline
Retrieved from "http://www.forensicswiki.org/w/index.php?title=Forensic_Disk_Differencing&oldid=10325"