Re: [sleuthkit-users] How does tsk_fs_file_hash_calc() work?
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] How does tsk_fs_file_hash_calc() work?
|
From: Brian C. <ca...@sl...> - 2015-12-10 03:45:41
|
Is tsk_fs_file_hash_calc() returning an error code? It should return 1 on error and you can get the error with tsk_error_print().
> On Dec 9, 2015, at 9:28 AM, sle...@fa... wrote:
>
> Hey,
> I started to modify tsk_recover to my need by adding some basic triage functionality directly into the code. Basically what I did was to exted the TskRecover::writeFile function with the following snippet (direcly at the beginning of the function).
>
> int8_t hashFound = 0;
> TSK_FS_HASH_RESULTS fileHash = {};
>
> tsk_fs_file_hash_calc (a_fs_file, &fileHash, TSK_BASE_HASH_MD5);
> hashFound = tsk_hdb_lookup_raw (m_hdbInfo, fileHash.md5_digest, 16, TSK_HDB_FLAG_QUICK, NULL, NULL);
>
> if (hashFound == 1)
> return 0;
> else if (hashFound == -1)
> fprintf(stderr, "Error hash lookup.");
>
> m_hdbInfo is an added member varaibale of type TSK_HDB_INFO* which I set in the constructor to an NSRL database, everything else should be self explanatory.
>
> The problem is that the hashes are not calculated correctly. I made two oservations: 1) The hashes change in every test run. 2) The calculated hashes repeat, quite often but without a pattern (at least I couldn't see one)
> I checked with md5sum and the hashes are definitely wrong.
> So is there something I missed? For example I thought of a missing init function call, but tsk_fs_file_hash_calc does that already.
>
> Kind regards
>
> ------------------------------------------------------------------------------
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
|
