Bug#469063: md5deep cannot be replaced with shell script
Jesse Kornblum
jessek at speakeasy.net
Mon Mar 17 22:01:27 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
You are mistaken that md5deep can be replaced by just a line of shell
script. The program not only able to compute hashes, but do both
positive and negative matching on previously generated hash sets. For
example:
1. Recursively hash the /usr directory:
$ md5deep -r /usr > known.txt
2. Search for any matches to a set of known files:
$ md5deep -r research/malware-samples/* > known.txt
$ md5deep -wm known.txt -r /usr
/usr/bin/.../ls matched /home/user/research/malware-samples/rootkit2
3. Search for any files that *don't* match a known file in the set of
hashes:
$ md5deep -r /usr > known.txt
[time passes]
$ md5deep -rx known.txt /usr
/usr/bin/.../ls
and so on.
- --
Jesse
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkfe6jgACgkQhEY+SDzUBL1GBwCgvWsYkCDgKCJhgbAAzsMnTUVk
+l4AoIj9z+XlM32ZLtfpQo/9O5a32obh
=8+PY
-----END PGP SIGNATURE-----
More information about the forensics-devel
mailing list