File Hash
One important step in any analysis is verifying the integrity of your data both before after the analysis is complete. You can get a hash (CRC, MD5, or SHA) of each file in a number of different ways. We will use the SHA hash. SHA is a hash signature generator that supplies a 160-bit “fingerprint” of a file or disk. It is not feasible for someone to computationally recreate a file based on the SHA hash. This means that matching SHA signatures mean identical files.
We can get an SHA sum of a disk bychanging to our evidence directory (i.e./root/evidence) and doing (note that the following commands can be replaced withmd5sumif you prefer to use MD5 sums):
sha1sum /dev/fd0or
sha1sum /dev/fd0 > SHA.disk1
The redirection in the secondcommand allows us to store the signature in a file and use it for verification later on. To get a hash of a raw disk (/dev/hda, /dev/fd0, etc.) the disk does NOT have to be mounted. We are hashing the device (the disk) not the file system. As we discussed earlier, Linux treats all objects, including physical disks, asfiles. So whether you are hashing a file of a hard drive, the command is the same.
We can get a hash of each file on the disk using thefindcommand and an option that allows us to execute a command on each file found. We can get a very useful list of SHA hashes for every file on a disk (once it is mounted, as in the loop mount command on the previous page) by changing to the_/mnt/analysis_directory:
mount -t vfat -o ro,noexec,loop image.disk1 /mnt/analysis
cd /mnt/analysis
and issuing the command:
find . -type f -exec sha1sum {} \; > /root/evidence/SHA.filelist
This command says “find, starting in the_current_directory (signified by the “.”), any regular file (-type f) and execute (-exec) the commandsha1sumon all files found ({}). Redirect the output to_SHA.filelist_in the /root/evidence directory (where we are storing all of our evidence files). The “\;”is an escape sequence that ends the–execcommand.
You can also use Linux to do your verification for you. To verify that nothing has been changed on the original floppy, you can use the -c option withsha1sum. If the disk was not altered, the commandwill return “ok”. Make sure the floppy is in the drive and type:
sha1sum -c /root/evidence/SHA.disk1
If the SHA hashes match from the floppy and the original SHA output file, then the command will return “OK” for/dev/fd0. The same can be done with the list of file SHAs. Mount the floppy on_/mnt/analysis,_change to that directory and issue the command:
sha1sum -c /root/evidence/SHA.filelist
Again, the SHA hashes in the file will be compared with SHA sums taken from the floppy (atthe mount point). If anything has changed, the program will give a “failed” message. Unchanged files will be marked “OK”.