Join Us!

Tools that can dete...
 
Notifications
Clear all

Tools that can detect differences between two images?  

Page 1 / 2
  RSS
engdan
(@engdan)
New Member

Hi all,

I'm wondering if such a tool exists that can take two forensic images and detect differences between them.

For example, two images from the same system taken a day apart and the tool could highlight the new or changed files/folders between the two.

Thanks!

Quote
Posted : 10/10/2017 10:43 am
AmNe5iA
(@amne5ia)
Active Member

On MS Windows

X-Ways Forensics.
Select "Tools -> Compare Data"
Choose two files/images to compare.
Creates a search list of differences (or a very large txt file if you want!)

or on Linux

Use 'cmp' command.
The output may not be as immediately useful as the X-Ways/Windows option.

ReplyQuote
Posted : 10/10/2017 11:12 am
Bunnysniper
(@bunnysniper)
Active Member

Hi all,

I'm wondering if such a tool exists that can take two forensic images and detect differences between them.

For example, two images from the same system taken a day apart and the tool could highlight the new or changed files/folders between the two.

Thanks!

Mounting both images read-only and then making a "diff" of the drives gives you all answers. Simple solution, isnt it?

best regards,
Robin

ReplyQuote
Posted : 10/10/2017 11:34 am
engdan
(@engdan)
New Member

Mounting both images read-only and then making a "diff" of the drives gives you all answers. Simple solution, isnt it?

best regards,
Robin

Ah! It's so easy to over-complicate these things, eh? Thanks for the advice.

ReplyQuote
Posted : 10/10/2017 11:39 am
engdan
(@engdan)
New Member

On MS Windows

X-Ways Forensics.
Select "Tools -> Compare Data"
Choose two files/images to compare.
Creates a search list of differences (or a very large txt file if you want!)

or on Linux

Use 'cmp' command.
The output may not be as immediately useful as the X-Ways/Windows option.

Thank you! It also looks (from the online manual atleast) that WinHex Free can do this too. I'll check it out, thanks for your advice.

ReplyQuote
Posted : 10/10/2017 11:40 am
jaclaz
(@jaclaz)
Community Legend

Mounting both images read-only and then making a "diff" of the drives gives you all answers.

What do you suggest (which specific tool/program) would you suggest to make the "diff" of the drives?

Why would you mount them to volumes?

If you mount them to volumes then you can make a DIR (or ls) of each volume and compare the results with diff, still there well might be AFAIK "sync" problems, a tool like -say - Winmerge
http//winmerge.org/

might be more suited (I am pretty sure that similar Linux tools do exist)

@AmNe5iA
That would be a "binary compare" , woudn't it?
If yes, it makes not really much sense - with all due respect - if the scope is that of "highlight the new or changed files/folders between the two.".
With a binary compare you will have thousands, maybe millions of single byte differences and a single byte shift may make them millions or billions.

jaclaz

ReplyQuote
Posted : 10/10/2017 12:53 pm
mansiu
(@mansiu)
Member

Hi all,

I'm wondering if such a tool exists that can take two forensic images and detect differences between them.

For example, two images from the same system taken a day apart and the tool could highlight the new or changed files/folders between the two.

Thanks!

I would use MFT2CSV to produce 2 CSV from the 2 images. And then "diff" the two CSV

ReplyQuote
Posted : 10/10/2017 1:07 pm
jaclaz
(@jaclaz)
Community Legend

I would use MFT2CSV to produce 2 CSV from the 2 images. And then "diff" the two CSV

Which is a good idea ) , but for NTFS volumes ONLY.

jaclaz

ReplyQuote
Posted : 10/10/2017 1:19 pm
engdan
(@engdan)
New Member

@mansiu, @jaclaz

Yes, I appreciate the advice but my images are actually of Android OS so no $MFT…

ReplyQuote
Posted : 10/10/2017 1:41 pm
jaclaz
(@jaclaz)
Community Legend

@mansiu, @jaclaz

Yes, I appreciate the advice but my images are actually of Android OS so no $MFT…

Yep, I expected that wink , hence my comment on mansiu's otherwise nice suggestion.

As hinted before, use *whatever tool* you see fit to make a detailed listing in text form of the contents of the filesystem for both images (or temporarily mounted volumes) then compare them, the point I was trying to make being that for this you will need a "compare" tool with "sync" capabilities, not a "plain" compare one, and certainly not a binary compare one.

jaclaz

ReplyQuote
Posted : 10/10/2017 2:11 pm
JimC
 JimC
(@jimc)
Member

I would thoroughly recommend Beyond Compare by Scooter Software.

Although not strictly a forensic tool I have never found another tool so capable when it comes to putting 2 file systems side by side and showing the differences. It offers many different options for comparison based upon file names, sizes, contents etc and can filter out common files so the differences are more obvious. Certainly worth the $30 for standard edition.

At the risk of plugging my own tool, you can generate a file system dump of a Windows file system (FAT, NTFS) using my BMTK software. This produces an XML file. You can compare 2 of these XML files to spot subtle changes in the file system. This may not be particularly relevant for live cases but is a great way to experiment with file system behavior and see what is happening in detail under the hood.

Jim

www.binarymarkup.com

ReplyQuote
Posted : 10/10/2017 2:29 pm
Bunnysniper
(@bunnysniper)
Active Member

Mounting both images read-only and then making a "diff" of the drives gives you all answers.

What do you suggest (which specific tool/program) would you suggest to make the "diff" of the drives?

Mount with OSFMount and then compare with Windiff.

- Download OSFMount https://www.osforensics.com/tools/mount-disk-images.html
- Download WinDiff WinDiff https://www.microsoft.com/en-us/download/details.aspx?id=18546

- unpack the Windows XP Support Tools setup file with 7Zip, then unpack the support.cab file with 7Zip. Windiff is inside the folder "support" and is fully portable together with the library file "gutils.dll".
- mount the image file with OSFMount and make sure the button "read-only" is choosen
- Open Windiff and choose File -> Compare Directories and enter both drive letters

You get an output which is nicer than any other tool in my opinion and it is free.

best regards, Robin

PS i am sure you do not need such a detailed response, Jaclaz, but as a reference if someone asks the same question in the future…

ReplyQuote
Posted : 10/10/2017 2:47 pm
jaclaz
(@jaclaz)
Community Legend

PS i am sure you do not need such a detailed response, Jaclaz, but as a reference if someone asks the same question in the future…

Yep ) the idea is - since this might be a common enough question - to have all ideas and suggestions on a same thread, so that people interested in the matter may find it (or be pointed to it).

And now, for no apparent reason (OT but related)

http//www.forensicfocus.com/Forums/viewtopic/t=11359/

jaclaz

ReplyQuote
Posted : 10/10/2017 4:08 pm
joakims
(@joakims)
Active Member

I know this may be a bit on the side here and likely not option #1 for most people. But it is still relevant enough that I'd mention visual comparison with bitmaps/pixels; http//plainbinary.blogspot.no/2017/08/detection-of-filesystem-patterns-in.html

ReplyQuote
Posted : 10/10/2017 6:56 pm
MDCR
 MDCR
(@mdcr)
Active Member

It may be simpler if the two images that you need to compare are split into smaller chunks and hashed. If the hash values are different then those split image parts could be diffed using any software mentioned above. http//meldmerge.org is another alternative.

Could be done easier and faster with fuzzy-hashing like ssdeep.

ReplyQuote
Posted : 11/10/2017 9:21 am
Page 1 / 2
Share: