Hi all,
I'm wondering if such a tool exists that can take two forensic images and detect differences between them.
For example, two images from the same system taken a day apart and the tool could highlight the new or changed files/folders between the two.
Thanks!
On MS Windows
X-Ways Forensics.
Select "Tools -> Compare Data"
Choose two files/images to compare.
Creates a search list of differences (or a very large txt file if you want!)
or on Linux
Use 'cmp' command.
The output may not be as immediately useful as the X-Ways/Windows option.
Hi all,
I'm wondering if such a tool exists that can take two forensic images and detect differences between them.
For example, two images from the same system taken a day apart and the tool could highlight the new or changed files/folders between the two.
Thanks!
Mounting both images read-only and then making a "diff" of the drives gives you all answers. Simple solution, isnt it?
best regards,
Robin
Mounting both images read-only and then making a "diff" of the drives gives you all answers. Simple solution, isnt it?
best regards,
Robin
Ah! It's so easy to over-complicate these things, eh? Thanks for the advice.
On MS Windows
X-Ways Forensics.
Select "Tools -> Compare Data"
Choose two files/images to compare.
Creates a search list of differences (or a very large txt file if you want!)or on Linux
Use 'cmp' command.
The output may not be as immediately useful as the X-Ways/Windows option.
Thank you! It also looks (from the online manual atleast) that WinHex Free can do this too. I'll check it out, thanks for your advice.
Mounting both images read-only and then making a "diff" of the drives gives you all answers.
What do you suggest (which specific tool/program) would you suggest to make the "diff" of the drives?
Why would you mount them to volumes?
If you mount them to volumes then you can make a DIR (or ls) of each volume and compare the results with diff, still there well might be AFAIK "sync" problems, a tool like -say - Winmerge
http//winmerge.org/
might be more suited (I am pretty sure that similar Linux tools do exist)
@AmNe5iA
That would be a "binary compare" , woudn't it?
If yes, it makes not really much sense - with all due respect - if the scope is that of "highlight the new or changed files/folders between the two.".
With a binary compare you will have thousands, maybe millions of single byte differences and a single byte shift may make them millions or billions.
jaclaz
Hi all,
I'm wondering if such a tool exists that can take two forensic images and detect differences between them.
For example, two images from the same system taken a day apart and the tool could highlight the new or changed files/folders between the two.
Thanks!
I would use MFT2CSV to produce 2 CSV from the 2 images. And then "diff" the two CSV
I would use MFT2CSV to produce 2 CSV from the 2 images. And then "diff" the two CSV
Which is a good idea ) , but for NTFS volumes ONLY.
jaclaz
Yes, I appreciate the advice but my images are actually of Android OS so no $MFT…
Yep, I expected that wink , hence my comment on mansiu's otherwise nice suggestion.
As hinted before, use *whatever tool* you see fit to make a detailed listing in text form of the contents of the filesystem for both images (or temporarily mounted volumes) then compare them, the point I was trying to make being that for this you will need a "compare" tool with "sync" capabilities, not a "plain" compare one, and certainly not a binary compare one.
jaclaz