SecureArtisan

My Road to Digital Forensics Excellence

File Block Hash Analysis

Posted by Paul Bobby on June 1, 2009

At the CEIC I met Simon Key and thanked him personally for his Enscript work and free contributions he has made to the investigative community. He was encouraged by our conversation in that he receives little feedback on his enscripts, whether they work or not, and even if they are being used.

One Enscript in particular, the File Block Hashing Enscript is very good piece of work. I use this in conjunction with malware analyses and sometimes ethics cases. A recent malware case I had was to determine if a machine had been compromised by malware since the particular dropper file had been deleted by a McAfee OnDemand scan from the System Restore point.

The file was recovered from the McAfee Quarantine folder, ran through my malware analysis sandbox, and system changes noted. Based on the behavior of this malware, the registry is modified as well as the file system through the addition of an .EXE and two .DLL files. Furthermore, as is wont, the original dropper was deleted.

Neither the .EXE file nor the .DLL files were present on the file system, confirmed by filename analysis as well as MD5 analysis. But were they ever on the file system? This is exactly where File Block analysis comes in…

The enscript at the link above is Version 5 and includes a couple of efficiency modifications as well as a nice graphical output option. The enscript includes an “intelligent tail analysis” option. The built in help with the enscript explains this function well enough – it essentially removes the need to rehash the same file block multiple times (which saves time when searching for more than one file).

Another addition is the graphical output showing the on disk location of file block hashes that resulted in MD5 hash matches. Here’s an example for a Microsoft Powerpoint file I created, and deliberately overwrote the middle portion of the file.
64F9681778DB29993DD8F3EDAE14E47C - FileBlockTest.pptx

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: