Hashes after file carving

28 views
Skip to first unread message

Mandy Galante

unread,
May 6, 2013, 8:52:30 PM5/6/13
to cyfo...@googlegroups.com
I am confused about whether files retrieved using file carving should be expected to have the same md5 hash as they did in their original state?

Specifically, I am working with my students to retrieve files using the Basic Data Carving Test at this link: ftt.sourceforge.net/test11/index.html

We are having some success, but only some of the files have md5 hashes that match the ones provided in the answer sheet on the website.

Can anyone tell me what the expectation is in this scenario?

Thanks - Mandy Galante

Joel Fernandez

unread,
May 6, 2013, 10:14:01 PM5/6/13
to cyfo...@googlegroups.com
Hi Mandy. That's a yes. Could you re-check the link you posted? I can't resolve it. 


--
You received this message because you are subscribed to the Google Groups "CyForHSF" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cyforhsf+u...@googlegroups.com.
To post to this group, send email to cyfo...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg/cyforhsf/-/ODOjVhz51mIJ.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

Mandy Galante

unread,
May 6, 2013, 10:20:07 PM5/6/13
to cyfo...@googlegroups.com
Hi Joel,

Here is the parent link: http://dftt.sourceforge.net/ it's #11 the Basic Data carving test.  When we use Foremost or Scalpel or FTK on the image we only get some (very few) of the hashes that match the answer sheet.  Not sure what I might be doing wrong.

Thanks for the help.

Joel Fernandez

unread,
May 6, 2013, 11:07:48 PM5/6/13
to cyfo...@googlegroups.com
Here are my initial results with Foremost. I didn't cross reference, but i'm sure i didn't get them all. This goes to show a bit of how carvers work. Do any of your students care to show their scalpel results, compare them with mine, and explain why? This could be interesting...

Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File

Foremost started at Mon May  6 22:57:23 2013
Invocation: foremost -v -c foremost.conf -o ./carve11 -i ./11-carve-fat/11-carve-fat.dd 
Output directory: /Users/joelfernandezny/Downloads/carve11
Configuration file: /Users/joelfernandezny/Downloads/foremost.conf
------------------------------------------------------------------
File: ./11-carve-fat/11-carve-fat.dd
Start: Mon May  6 22:57:23 2013
Length: Unknown
 
Num Name (bs=512)       Size File Offset Comment 

0: 00019717.jpg      29 KB   10095104  
1: 00019777.jpg     433 KB   10125824  
2: 00020645.jpg      96 KB   10570240  
3: 00020841.gif       5 KB   10670592  (88 x 31)
4: 00000321.wmv       7 MB     164352  
5: 00021929.wmv    1012 KB   11227648  
6: 00020853.mov     537 KB   10676736  
7: 00016021.wav     311 KB    8202752  
8: 00000281.ole      20 KB     143872  
9: 00016693.ole      24 KB    8546816  
10: 00023957.ole       6 MB   12265984  
11: 00023981.zip      77 KB   12278272  
12: 00016741.pdf       1 MB    8571392  (PDF is Linearized)
13: 00019477.pdf     119 KB    9972224  
Finish: Mon May  6 22:57:25 2013

14 FILES EXTRACTED
jpg:= 3
gif:= 1
wmv:= 2
mov:= 1
rif:= 1
ole:= 3
zip:= 1
pdf:= 2
------------------------------------------------------------------

Foremost finished at Mon May  6 22:57:25 2013




Joels-MacBook-Pro:Downloads joelfernandezny$ md5deep -r ./carve11
2532b5eafc7783fbdd86ab01d8b13bc4  /Users/joelfernandezny/Downloads/carve11/audit.txt
d25fb845e6a41395adaed8bd14db7bf2  /Users/joelfernandezny/Downloads/carve11/gif/00020841.gif
37a49f97ed279832cd4f7bd002c826a2  /Users/joelfernandezny/Downloads/carve11/jpg/00019717.jpg
d83428b8742a075b57b0dc424cd297c4  /Users/joelfernandezny/Downloads/carve11/jpg/00020645.jpg
5ae5cd40c3d07d5df554b2030a001ebd  /Users/joelfernandezny/Downloads/carve11/ole/00000281.ole
a9bba638866a7f5ba4badb727a1628c9  /Users/joelfernandezny/Downloads/carve11/ole/00016693.ole
6c9859e5121ff54d5d6298f65f0bf3b3  /Users/joelfernandezny/Downloads/carve11/jpg/00019777.jpg
5328d2b066f428ea95b2793849ab97fa  /Users/joelfernandezny/Downloads/carve11/mov/00020853.mov
5b3e806e8c9c06a475cd45bf821af709  /Users/joelfernandezny/Downloads/carve11/pdf/00019477.pdf
4020b55670015ee50672260efd138aff  /Users/joelfernandezny/Downloads/carve11/wav/00016021.wav
e026ec863410725ba1f5765a1874800d  /Users/joelfernandezny/Downloads/carve11/pdf/00016741.pdf
566fc217518a54954d0d8c77332e38bf  /Users/joelfernandezny/Downloads/carve11/zip/00023981.zip
ff085d0c4d0e0fdc8f3427db68e26266  /Users/joelfernandezny/Downloads/carve11/wmv/00021929.wmv
634a5f382431dde14d4f148a495f662d  /Users/joelfernandezny/Downloads/carve11/ole/00023957.ole
63c0c6986cf0a446cb54b0ac65a921a5  /Users/joelfernandezny/Downloads/carve11/wmv/00000321.wmv

Mandy Galante

unread,
May 7, 2013, 3:30:03 PM5/7/13
to cyfo...@googlegroups.com
So I took your suggestion and the class today used Scalpel to produce comparable results to yours from Foremost. Then when we meet again on Thursday, they are going to use Scalpel and Foremost to examine the CSAW mini-challenge and see what they can do with that material. That will be perfect timing as you will be releasing an answer soon after which will help with understanding whatever we missed.

Thanks! - Mandy

Joel Fernandez

unread,
May 7, 2013, 3:31:59 PM5/7/13
to cyfo...@googlegroups.com
Great!
Reply all
Reply to author
Forward
0 new messages