EC2 DFIR Workshop
Lab 6: Creating a Hash Database
GOAL:
Create a database of all files on the BASELINE Volume so we can identify changes made to the EVIDENCE Volume
SUMMARY OF STEPS:
- Use md5sum to calculate BASELINE hashes
- Use hfind to create the known_files Database
Step 1 – Use md5sum to calculate BASELINE hashes
The first step is to use some command line kung fu to calculate the hash of all files found on the BASELINE volume:
mkdir /cases/changed && cd /cases/changed
find /mnt/linux_base -type f -print0 | xargs -0 \
md5sum > known_files.md5
cat known_files.md5 # View the output
Read the man page for the find command and the –type option
man find
The xargs command executes the following command (md5sum) on each line of
redirected input
VIDEO: Lab 6 Step 1 - Use md5sum to calculate BASELINE hashes
Step 2 – Create the known_files Database
Next, index the hash list into a database:
hfind -i md5sum known_files.md5
ls # View the output
cat known_files.md5-md5.idx
file known_files.md5-md5.idx
file known_files.md5-md5.idx2
Read the man page for the hfind command and the –i option
man hfind
VIDEO: Lab 6 Step 2 - Create the known_files Database