How does tsk_fs_file_hash_calc() work?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

How does tsk_fs_file_hash_calc() work?

sleuthkit
Hey,
I started to modify tsk_recover to my need by adding some basic triage functionality directly into the code. Basically what I did was to exted the TskRecover::writeFile function with the following snippet (direcly at the beginning of the function).

    int8_t hashFound = 0;
    TSK_FS_HASH_RESULTS fileHash = {};

    tsk_fs_file_hash_calc (a_fs_file, &fileHash, TSK_BASE_HASH_MD5);
    hashFound = tsk_hdb_lookup_raw (m_hdbInfo, fileHash.md5_digest, 16, TSK_HDB_FLAG_QUICK, NULL, NULL);

    if (hashFound == 1)
        return 0;
    else if (hashFound == -1)
        fprintf(stderr, "Error hash lookup.");

m_hdbInfo is an added member varaibale of type TSK_HDB_INFO* which I set in the constructor to an NSRL database, everything else should be self explanatory.

The problem is that the hashes are not calculated correctly. I made two oservations: 1) The hashes change in every test run. 2) The calculated hashes repeat, quite often but without a pattern (at least I couldn't see one)
I checked with md5sum and the hashes are definitely wrong.
So is there something I missed? For example I thought of a missing init function call, but tsk_fs_file_hash_calc does that already.

Kind regards

------------------------------------------------------------------------------
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: How does tsk_fs_file_hash_calc() work?

Simson Garfinkel-3
Hi. All of this functionality is in fiwalk. Have you looked at that program?

Regards,

Simson Garfinkel

> On Dec 9, 2015, at 9:28 AM, [hidden email] wrote:
>
> Hey,
> I started to modify tsk_recover to my need by adding some basic triage functionality directly into the code. Basically what I did was to exted the TskRecover::writeFile function with the following snippet (direcly at the beginning of the function).
>
>    int8_t hashFound = 0;
>    TSK_FS_HASH_RESULTS fileHash = {};
>
>    tsk_fs_file_hash_calc (a_fs_file, &fileHash, TSK_BASE_HASH_MD5);
>    hashFound = tsk_hdb_lookup_raw (m_hdbInfo, fileHash.md5_digest, 16, TSK_HDB_FLAG_QUICK, NULL, NULL);
>
>    if (hashFound == 1)
>        return 0;
>    else if (hashFound == -1)
>        fprintf(stderr, "Error hash lookup.");
>
> m_hdbInfo is an added member varaibale of type TSK_HDB_INFO* which I set in the constructor to an NSRL database, everything else should be self explanatory.
>
> The problem is that the hashes are not calculated correctly. I made two oservations: 1) The hashes change in every test run. 2) The calculated hashes repeat, quite often but without a pattern (at least I couldn't see one)
> I checked with md5sum and the hashes are definitely wrong.
> So is there something I missed? For example I thought of a missing init function call, but tsk_fs_file_hash_calc does that already.
>
> Kind regards
>
> ------------------------------------------------------------------------------
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org


------------------------------------------------------------------------------
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: How does tsk_fs_file_hash_calc() work?

Brian Carrier-2
In reply to this post by sleuthkit
Is tsk_fs_file_hash_calc() returning an error code?  It should return 1 on error and you can get the error with tsk_error_print().


> On Dec 9, 2015, at 9:28 AM, [hidden email] wrote:
>
> Hey,
> I started to modify tsk_recover to my need by adding some basic triage functionality directly into the code. Basically what I did was to exted the TskRecover::writeFile function with the following snippet (direcly at the beginning of the function).
>
>   int8_t hashFound = 0;
>   TSK_FS_HASH_RESULTS fileHash = {};
>
>   tsk_fs_file_hash_calc (a_fs_file, &fileHash, TSK_BASE_HASH_MD5);
>   hashFound = tsk_hdb_lookup_raw (m_hdbInfo, fileHash.md5_digest, 16, TSK_HDB_FLAG_QUICK, NULL, NULL);
>
>   if (hashFound == 1)
>       return 0;
>   else if (hashFound == -1)
>       fprintf(stderr, "Error hash lookup.");
>
> m_hdbInfo is an added member varaibale of type TSK_HDB_INFO* which I set in the constructor to an NSRL database, everything else should be self explanatory.
>
> The problem is that the hashes are not calculated correctly. I made two oservations: 1) The hashes change in every test run. 2) The calculated hashes repeat, quite often but without a pattern (at least I couldn't see one)
> I checked with md5sum and the hashes are definitely wrong.
> So is there something I missed? For example I thought of a missing init function call, but tsk_fs_file_hash_calc does that already.
>
> Kind regards
>
> ------------------------------------------------------------------------------
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org


------------------------------------------------------------------------------
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org