[sleuthkit-users] How does tsk_fs_file_hash_calc() work?
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] How does tsk_fs_file_hash_calc() work?
|
From: <sle...@fa...> - 2015-12-09 14:28:26
|
Hey,
I started to modify tsk_recover to my need by adding some basic triage functionality directly into the code. Basically what I did was to exted the TskRecover::writeFile function with the following snippet (direcly at the beginning of the function).
int8_t hashFound = 0;
TSK_FS_HASH_RESULTS fileHash = {};
tsk_fs_file_hash_calc (a_fs_file, &fileHash, TSK_BASE_HASH_MD5);
hashFound = tsk_hdb_lookup_raw (m_hdbInfo, fileHash.md5_digest, 16, TSK_HDB_FLAG_QUICK, NULL, NULL);
if (hashFound == 1)
return 0;
else if (hashFound == -1)
fprintf(stderr, "Error hash lookup.");
m_hdbInfo is an added member varaibale of type TSK_HDB_INFO* which I set in the constructor to an NSRL database, everything else should be self explanatory.
The problem is that the hashes are not calculated correctly. I made two oservations: 1) The hashes change in every test run. 2) The calculated hashes repeat, quite often but without a pattern (at least I couldn't see one)
I checked with md5sum and the hashes are definitely wrong.
So is there something I missed? For example I thought of a missing init function call, but tsk_fs_file_hash_calc does that already.
Kind regards
|
