Скачать или смотреть In-place Hash Comparison with Sleuthkit and CoreUtils on Windows

In this video we talk about how to do in-place file hash comparison from a disk image. We use the Sleuthkit and CoreUtils on Windows to extract file data, create an MD5 hash of the file data and use hfind to search a hash database.

Specifically, we analyze an Expert Witness File (E01). First we use mmls to extract partition information from the physical disk image. From that we can extract the partition offset. With the partition offset, we can use FLS to list the files in the partition. We show how to use icat and fcat to extract file data using the file inode or the file name. We feed the icat output into md5sum (coreUtils) and cut everything except the md5 hash value. Finally, we pipe the hash value into hfind (sleuthkit) to search whether the hash value is in the known database.

Install Sleithkit on Windows:    • [How To] Install the Sleuthkit in Windows  
Install CoreUtils on Windows:    • [How To] Install GNU CoreUtils on Windows  

https://bit.ly/2Ij9Ojc - 👍 Subscribe for weekly videos

❤️ Get early access and bonus content -   / dfirscience  

010001000100011001010011011000110110100101100101011011100110001101100101
Help make DFIR tutorials
👍 Subscribe → https://bit.ly/2Ij9Ojc
🛒 Shop → https://swag.dfir.science
❤️ Patreon →   / dfirscience  

🕸️ Blog → https://DFIR.Science
🤖 Code → https://github.com/DFIRScience
🐦 Follow →   / dfirscience  
📰 DFIR Newsletter → https://bit.ly/DFIRNews
010100110111010101100010011100110110001101110010011010010110001001100101

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please link back to the original video. If you want to use this video for commercial purposes, please contact us first. We would love to see what you are doing and will probably allow its use.