I have two images one which is a clean install of Vista (I installed and then imaged) and another that I installed Office 2007 on (Installed and reimaged). I have generated hash values for the files in both images and I was wondering if there was a way of comparing the two without having to go through all the files by hand. Oh and I'm using EnCase 5.
I have created a Hash Set and Library for the first image but I am unsure as what to do next if this is the correct way to do it.
Hope I explained that clearly enough!
Thanks in advance.
Well, one thing you could do is get Steve Bunting's book on EnCase. Another is join the EnCase forums.
A third is to learn Perl.
😉
Harlan
Thanks! ) I shall do all of those 3 however I don't have a dongle ID to join the forums just yet, as it's the Banks EnCase I'm using! I'm doing my MSc summer placement here you see )
Learn the find command under UNIX/Linux.
since you already have the hash set and library. just load it to the second image case and do the hash anlysis. Once completed, used the fillter to only display files that are different in hash value. Hope that helps.
TQ