sleuthkit-users

[sleuthkit-users] How does tsk_fs_file_hash_calc() work?

[<sle...@fa...>]

Hey,
I started to modify tsk_recover to my need by adding some basic triage functionality directly into the code. Basically what I did was to exted the TskRecover::writeFile function with the following snippet (direcly at the beginning of the function).

    int8_t hashFound = 0;
    TSK_FS_HASH_RESULTS fileHash = {};

    tsk_fs_file_hash_calc (a_fs_file, &fileHash, TSK_BASE_HASH_MD5);
    hashFound = tsk_hdb_lookup_raw (m_hdbInfo, fileHash.md5_digest, 16, TSK_HDB_FLAG_QUICK, NULL, NULL);

    if (hashFound == 1)
        return 0;
    else if (hashFound == -1)
        fprintf(stderr, "Error hash lookup.");

m_hdbInfo is an added member varaibale of type TSK_HDB_INFO* which I set in the constructor to an NSRL database, everything else should be self explanatory.

The problem is that the hashes are not calculated correctly. I made two oservations: 1) The hashes change in every test run. 2) The calculated hashes repeat, quite often but without a pattern (at least I couldn't see one)
I checked with md5sum and the hashes are definitely wrong.
So is there something I missed? For example I thought of a missing init function call, but tsk_fs_file_hash_calc does that already.

Kind regards

Re: [sleuthkit-users] How does tsk_fs_file_hash_calc() work?

[Simson G. <si...@ac...>]

Hi. All of this functionality is in fiwalk. Have you looked at that program?

Regards,

Simson Garfinkel

> On Dec 9, 2015, at 9:28 AM, sle...@fa... wrote:
> 
> Hey,
> I started to modify tsk_recover to my need by adding some basic triage functionality directly into the code. Basically what I did was to exted the TskRecover::writeFile function with the following snippet (direcly at the beginning of the function).
> 
>    int8_t hashFound = 0;
>    TSK_FS_HASH_RESULTS fileHash = {};
> 
>    tsk_fs_file_hash_calc (a_fs_file, &fileHash, TSK_BASE_HASH_MD5);
>    hashFound = tsk_hdb_lookup_raw (m_hdbInfo, fileHash.md5_digest, 16, TSK_HDB_FLAG_QUICK, NULL, NULL);
> 
>    if (hashFound == 1)
>        return 0;
>    else if (hashFound == -1)
>        fprintf(stderr, "Error hash lookup.");
> 
> m_hdbInfo is an added member varaibale of type TSK_HDB_INFO* which I set in the constructor to an NSRL database, everything else should be self explanatory.
> 
> The problem is that the hashes are not calculated correctly. I made two oservations: 1) The hashes change in every test run. 2) The calculated hashes repeat, quite often but without a pattern (at least I couldn't see one)
> I checked with md5sum and the hashes are definitely wrong.
> So is there something I missed? For example I thought of a missing init function call, but tsk_fs_file_hash_calc does that already.
> 
> Kind regards
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] How does tsk_fs_file_hash_calc() work?

[Brian C. <ca...@sl...>]

Is tsk_fs_file_hash_calc() returning an error code?  It should return 1 on error and you can get the error with tsk_error_print().


> On Dec 9, 2015, at 9:28 AM, sle...@fa... wrote:
> 
> Hey,
> I started to modify tsk_recover to my need by adding some basic triage functionality directly into the code. Basically what I did was to exted the TskRecover::writeFile function with the following snippet (direcly at the beginning of the function).
> 
>   int8_t hashFound = 0;
>   TSK_FS_HASH_RESULTS fileHash = {};
> 
>   tsk_fs_file_hash_calc (a_fs_file, &fileHash, TSK_BASE_HASH_MD5);
>   hashFound = tsk_hdb_lookup_raw (m_hdbInfo, fileHash.md5_digest, 16, TSK_HDB_FLAG_QUICK, NULL, NULL);
> 
>   if (hashFound == 1)
>       return 0;
>   else if (hashFound == -1)
>       fprintf(stderr, "Error hash lookup.");
> 
> m_hdbInfo is an added member varaibale of type TSK_HDB_INFO* which I set in the constructor to an NSRL database, everything else should be self explanatory.
> 
> The problem is that the hashes are not calculated correctly. I made two oservations: 1) The hashes change in every test run. 2) The calculated hashes repeat, quite often but without a pattern (at least I couldn't see one)
> I checked with md5sum and the hashes are definitely wrong.
> So is there something I missed? For example I thought of a missing init function call, but tsk_fs_file_hash_calc does that already.
> 
> Kind regards
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org