Tools that can dete...
 
Notifications
Clear all

Tools that can detect differences between two images?

19 Posts
8 Users
0 Likes
4,432 Views
engdan
(@engdan)
Posts: 12
Active Member
Topic starter
 

Hi all,

I'm wondering if such a tool exists that can take two forensic images and detect differences between them.

For example, two images from the same system taken a day apart and the tool could highlight the new or changed files/folders between the two.

Thanks!

 
Posted : 10/10/2017 9:43 am
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
 

On MS Windows

X-Ways Forensics.
Select "Tools -> Compare Data"
Choose two files/images to compare.
Creates a search list of differences (or a very large txt file if you want!)

or on Linux

Use 'cmp' command.
The output may not be as immediately useful as the X-Ways/Windows option.

 
Posted : 10/10/2017 10:12 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Hi all,

I'm wondering if such a tool exists that can take two forensic images and detect differences between them.

For example, two images from the same system taken a day apart and the tool could highlight the new or changed files/folders between the two.

Thanks!

Mounting both images read-only and then making a "diff" of the drives gives you all answers. Simple solution, isnt it?

best regards,
Robin

 
Posted : 10/10/2017 10:34 am
engdan
(@engdan)
Posts: 12
Active Member
Topic starter
 

Mounting both images read-only and then making a "diff" of the drives gives you all answers. Simple solution, isnt it?

best regards,
Robin

Ah! It's so easy to over-complicate these things, eh? Thanks for the advice.

 
Posted : 10/10/2017 10:39 am
engdan
(@engdan)
Posts: 12
Active Member
Topic starter
 

On MS Windows

X-Ways Forensics.
Select "Tools -> Compare Data"
Choose two files/images to compare.
Creates a search list of differences (or a very large txt file if you want!)

or on Linux

Use 'cmp' command.
The output may not be as immediately useful as the X-Ways/Windows option.

Thank you! It also looks (from the online manual atleast) that WinHex Free can do this too. I'll check it out, thanks for your advice.

 
Posted : 10/10/2017 10:40 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Mounting both images read-only and then making a "diff" of the drives gives you all answers.

What do you suggest (which specific tool/program) would you suggest to make the "diff" of the drives?

Why would you mount them to volumes?

If you mount them to volumes then you can make a DIR (or ls) of each volume and compare the results with diff, still there well might be AFAIK "sync" problems, a tool like -say - Winmerge
http//winmerge.org/

might be more suited (I am pretty sure that similar Linux tools do exist)

@AmNe5iA
That would be a "binary compare" , woudn't it?
If yes, it makes not really much sense - with all due respect - if the scope is that of "highlight the new or changed files/folders between the two.".
With a binary compare you will have thousands, maybe millions of single byte differences and a single byte shift may make them millions or billions.

jaclaz

 
Posted : 10/10/2017 11:53 am
(@mansiu)
Posts: 83
Trusted Member
 

Hi all,

I'm wondering if such a tool exists that can take two forensic images and detect differences between them.

For example, two images from the same system taken a day apart and the tool could highlight the new or changed files/folders between the two.

Thanks!

I would use MFT2CSV to produce 2 CSV from the 2 images. And then "diff" the two CSV

 
Posted : 10/10/2017 12:07 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I would use MFT2CSV to produce 2 CSV from the 2 images. And then "diff" the two CSV

Which is a good idea ) , but for NTFS volumes ONLY.

jaclaz

 
Posted : 10/10/2017 12:19 pm
engdan
(@engdan)
Posts: 12
Active Member
Topic starter
 

@mansiu, @jaclaz

Yes, I appreciate the advice but my images are actually of Android OS so no $MFT…

 
Posted : 10/10/2017 12:41 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

@mansiu, @jaclaz

Yes, I appreciate the advice but my images are actually of Android OS so no $MFT…

Yep, I expected that wink , hence my comment on mansiu's otherwise nice suggestion.

As hinted before, use *whatever tool* you see fit to make a detailed listing in text form of the contents of the filesystem for both images (or temporarily mounted volumes) then compare them, the point I was trying to make being that for this you will need a "compare" tool with "sync" capabilities, not a "plain" compare one, and certainly not a binary compare one.

jaclaz

 
Posted : 10/10/2017 1:11 pm
Page 1 / 2
Share: