One of the most important things to remember when performing digital forensics is how to preserve authenticity. Calculating and retaining hashes of the files you gather during your investigation (whether they be script output or actual binaries) is a great way to prove that your collected evidence hasn't been tampered with. Because of the risk of hash collisions, it is important to use multiple hashing algorithms for each file (e.g., MD5 and SHA1).
In order to simplify the process of calculating hashes for files, I have created a UNIX bash script that quickly calculates MD5 and SHA1 hashes for all files in the same directory as the script. This is much quicker and simpler than running the hashing commands manually for each file. Here is a link to the repository for this script. The script first checks to see if there is already MD5 and SHA1 sub-directories in its current working directory. If not, these folders are created. The script then calculates hashes using the -b (binary) switch for all files located in the same directory as the script, placing the resulting MD5 and SHA1 files into their respective sub-directories. These hash calculations are also listed as output in the terminal along with the names of their corresponding files in order to simplify the process of copying these calculated hashes into a forensic log. Preserving the calculated hashes in both your forensic log and in distinct files will provide you with multiple hash sources when validating files to ensure they haven't been tampered with.
The script also ignores itself and any directories located in the same directory (to avoid errors when trying to hash directories). Only files in the same directory as the script are hashed.
Usage Instructions:
In order to use the UNIX file hashing script, make sure you download the getHashes.sh file from the repository above onto a UNIX machine with md5sum and sha1sum installed (most UNIX-like operating systems have these installed by default). I used the script on my Kali Linux v1.0.9 machine.
Next, place the getHashes.sh script into the same directory as the files you want to hash. In the screenshot below, I've placed it in the same directory as a collection of text files containing the output of commands run on the victim machine, transferred to my forensic workstation using Netcat.
Next, open up terminal into the directory with the getHashes.sh script and execute the script.
NOTE: If you get permission errors when trying to execute the script, you likely need to run the following command in terminal to make the script executable:
chmod a+x getHashes.sh
As you can see in the screenshot above, the script created MD5 and SHA1 directories because they didn't yet exist in that directory. These new directories each contain .MD5 and .SHA1 files, respectively (each containing the hash and filename of its corresponding file), for all files in the same directory as the script. These hashes are also sent as output to the terminal--with the MD5 hash listed first and the SHA1 hash listed second--to simplify the process of copying them into your forensic log.
< Back to All Digital Forensics Tools
No comments:
Post a Comment