I'm trying to learn more and more each day so one of the things I wanted to do is compare two image files (original and examination copy) and use some tool to flush out the differences.
Any suggestions? And if you can share with me some of the techniques you would normally use for testing that would be great, along with the tools.
I started to rehash what Ken did on this SANS post so I thought I would just link to it as he did a good job
http//
He linked to several of the test disk image download sites that also have additional info about "playing" with them. What has been your experience so far - any methodologies or tools you have used to date?
Thanks a lot for the link!
Quite frankly I'm very new to the field, and have no experience with forensics or forensics testing, but I'm currently self studying for the CCE and felt that testing is important not just for verifying and validating equipments and software, but to gain a better understanding of OS from a a computer forensics perspective by tracing changes (Not really testing… more of reverse engineering perhaps?)
While performing my very first FAT16 file system analysis, I noticed that the hash value of my examination drive changed, which was expected because I modified the FAT tables using a hex editor, but I wanted to make sure that no other changes took place other than what I have documented. I wanted to use a utility to compare every byte of two image files and output the differences.
I tried using 'cmp' under linux, but the output doesn't seem to coincide with the values I'm seeing at the same byte offsets being reported. Still googling around
I wanted to use a utility to compare every byte of two image files and output the differences.
Perl.
Open both files, set the file handles to binmode, and then proceed one byte at a time through each file, comparing them.
# this code assumes that both image files are the same size
my $ofs = 0;
my $size = (stat($file1))[7];
open(FH1,"<",$file1) || die "Could not open $file1 $!\n";
binmode(FH1);
open(FH2,"<",$file2) || die "Could not open $file2 $!\n";
binmode(FH2);
my ($data1, $data2);
while ($ofs <= $size) {
seek(FH1,$ofs,0);
read(FH1,$data1,1);
seek(FH2,$ofs,0);
read(FH2,$data2,0);
if ($data1 == $data2) {
# do something
}
else {
# do something else
}
$ofs += 1;
}
close(FH1);
close(FH2);
