EC2 DFIR Workshop
Lab 7: Using Hashes to Identify Changes
GOAL:
Use the known_files database to detect changes made to the EVIDENCE Volume based on the hashes of files found on it.
SUMMARY OF STEPS:
- Use md5sum to calculate EVIDENCE hashes
- Use hfind to create the investigate_files Database
- Compare the investigate_files with known_files
Step 1 – Use md5sum to calculate EVIDENCE hashes
Calculate the hash of all files found on the EVIDENCE volume:
find /mnt/linux_mount -type f -print0 | xargs -0 \
md5sum > investigate_files.md5
cat investigate_files.md5 # View the output
The “\” is the line continuation symbol in bash
VIDEO: Lab 7 Step 1 - Use md5sum to calculate EVIDENCE hashes
Step 2 – Create the investigate_files Database
Next, index the hash list into a database:
hfind -i md5sum investigate_files.md5
VIDEO: Lab 7 Step 2 - Create the investigate_files Database
Step 3 – Compare the investigate_files with known_files
Create a list of just the MD5 Hashes that were not found in known_files:
awk '{print $1}' investigate_files.md5 | hfind known_files.md5 | grep \
"Hash Not Found" | awk '{print $1}' > changed.md5
Use hfind to return the corresponsing file names:
hfind -f changed.md5 investigate_files.md5 > changed_files.txt
Review the changed_files.txt output. Anything jump out?
less changed_files.txt
VIDEO: Lab 7 Step 3 - Compare the investigate_files with known_files
Lab 7 - Shortcut
As root on the SIFT Workstation, run the following commands:
wget https://s3.amazonaws.com/forensicate.cloud-data/find_changed_files.sh
nohup bash find_changed_files.sh 2>/dev/null &
VIDEO: Lab 7 Shortcut
TIPS:
- The “&” sends the job to the background, “nohup” allows you to logout.
- The
2>/dev/null
suppresses the errors when it encounters a directory - Use the following commands to see the relative sizes:
wc --lines known_files.md5 wc --lines investigate_files.md5 wc --lines changed_files.txt