±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 33148
New Yesterday: 2 Visitors: 74

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Tools that can detect differences between two images?

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3 
  

Re: Tools that can detect differences between two images?

Post Posted: Tue Oct 10, 2017 4:53 pm

It may be simpler if the two images that you need to compare are split into smaller chunks and hashed. If the hash values are different then those split image parts could be diffed using any software mentioned above. meldmerge.org is another alternative.
_________________
"Simplicity is the ultimate sophistication." 

calimelo
Senior Member
 
 
  

Re: Tools that can detect differences between two images?

Post Posted: Wed Oct 11, 2017 2:21 am

- calimelo
It may be simpler if the two images that you need to compare are split into smaller chunks and hashed. If the hash values are different then those split image parts could be diffed using any software mentioned above. meldmerge.org is another alternative.


Could be done easier and faster with fuzzy-hashing like ssdeep.  

MDCR
Senior Member
 
 
  

Re: Tools that can detect differences between two images?

Post Posted: Wed Oct 11, 2017 3:24 am

- calimelo
It may be simpler if the two images that you need to compare are split into smaller chunks and hashed. If the hash values are different then those split image parts could be diffed using any software mentioned above.


Well, that would be back to "binary compare", only of a subset chosen by "diffing" the hashes, not really simpler, as a matter of fact rather more complicated, without seemingly offering any advantage.

The issue would be twofold:
1) the chunk size must be chosen in such a way that it is not too small (to avoid hundreds or thousands of "diff" negatives) nor too big (to avoid tens or hundreds of "diff" positives where - possibly - a single byte is different)
2) the difficulty of interpreting the actual data inside an arbitrary "chunk" there is no way to apply a viewer/parser

Meld seems like a very nice program Smile , but, like windiff, it seemingly only shows the differences (files missing or different in contents) while the mentioned Winmerge has a few other fields, including date and creation date.

In any case all of these won't work for an Android filesystem in Windows (unless a proper filesystem driver is installed).

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Tools that can detect differences between two images?

Post Posted: Wed Oct 11, 2017 6:12 am

- jaclaz

In any case all of these won't work for an Android filesystem in Windows (unless a proper filesystem driver is installed).


Thanks jaclaz for your reply. What is the reason why Meld or WinDiff won't work with Android images?

It was my intention to take bunnysniper's advice and use OSFMount to make the two images work as 'drives' and then run either tool against the entire drive.

I would have thought that it doesn't matter what filesystem the images are in as they are just two sets of files and folders?

I must admit I'm not in a position to test anything yet, this topic was to get advice for tools that I could use later in my project -- so maybe there is an incompatability somewhere I'm overlooking without being able to actually use the tools...

I really was not expecting this level of discussion but I do appreciate all the the ideas people are posting!  

engdan
Newbie
 
 
  

Re: Tools that can detect differences between two images?

Post Posted: Wed Oct 11, 2017 7:11 am

If you are simply looking to spot what files are new or have changed maybe the following is the simplest method:

Create a hashset of all the files in the 1st image. Filter out the files in the 2nd image using the hashset from the first. All that should then be left is files that have been altered or that are new....  

AmNe5iA
Member
 
 
  

Re: Tools that can detect differences between two images?

Post Posted: Wed Oct 11, 2017 8:12 am

- engdan

Thanks jaclaz for your reply. What is the reason why Meld or WinDiff won't work with Android images?

All these "directory compare" tools assume that underneath there is a volume mounted and with an accessible filesystem.

Windows has no built-in support for (say) EXT2/3/4 filesystem drivers (let alone more esoteric filesystems (such as - still say - F2FS) commonly used on Android devices.

So in addition to the compare tool you will need to add/install such filesystem support to the Windows.


Besides this a filesystem tree difference comparison (for forensics or related use) makes sense on these data/metadata:
1) size
2) contents
3) date and time (creation/modified/last accessed where available)

#1 and #2 are "objective" and "implied" in the file, whilst #3 is peculiar of the hosting filesystem.

Windiff an Meld are only capable of #1 and #2, whilst Winmerge is also capable (but only partially) of #3.

The suggestion by Mansiu would result in a "perfect" or "complete" analysis of #1 and #3 only (and only on NTFS).

Any binary comparison would only result in #2, but - much worse than that - a difference in #1 may "shift" or move contents and produce a zillion false positives, and - even when you have a "real" positive you wouldn't know to which file/directory it belongs, and - besides - you will have an extremely precise comparison of filesystem data structures (like FATs, $MFTs, etc.) of extremely difficult, if not downright impossible interpretation.

- AmNe5iA
If you are simply looking to spot what files are new or have changed maybe the following is the simplest method:

Create a hashset of all the files in the 1st image. Filter out the files in the 2nd image using the hashset from the first. All that should then be left is files that have been altered or that are new....

Yep Smile , this would be the simpler (not necessarily the faster), but it would still only provide #1 and #2 changes (without knowing which one triggered the difference flag, not entirely unlike "Oh, oh something happened" kind of error messages, and you would need anyway to go through the original files to see which of the two was the cause) but still implies filesystem mounting/access.

Maybe this is more convenient since you can create the hashsets on *any* OS that can access the filesystem and then do the comparison of the hashsets on the same or *any other* OS, but you will also need a plain DIR or ls to compare file sizes.


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 

Page 3 of 3
Go to page Previous  1, 2, 3