Mac OS X Forensics
Never give up, the answer is right in front of you...
-
Our Sponsors
-
Custom Search
Hashing
Evidence
Mac OS X makes verifying physical device acquisition or single file/folder copies easy. Distributed with Snow Leopard (10.6) and Leopard (10.5) is the 'openssl' Terminal command with the ability to conduct many hashes of choice. Taken directly from the MAN page is the following (as applicable to hashing):
NAME
openssl - OpenSSL command line tool
COMMAND SUMMARY
dgst Message Digest Calculation.
MESSAGE DIGEST COMMANDS
md2 MD2 Digest
md5 MD5 Digest
mdc2 MDC2 Digest
rmd160 RMD-160 Digest
sha SHA Digest
sha1 SHA-1 Digest
sha224 SHA-224 Digest
sha256 SHA-256 Digest
sha384 SHA-384 Digest
sha512 SHA-512 Digest
We can put this to use with any of our acquisitions. We have used this in our iPod Acquisition already. Conceptually, as the person assigned to acquire data, you want a method to verify what you have gathered has not changed the original device and what is obtained is the same as the original device. In the case of files or folders, you will want to verify that the file or folder is exactly what what contained on the original media. This article acknowledges that utilities exist that will combine hashing and acquisition into a single function saving a considerable amount of time. See our list of Mac Forensic Tools to get a complete list of tools for imaging.
TURN OFF DISK ARBITRATION BEFORE PROCEEDING!
We first need to obtain the hash value of the device that we plan to acquire. We will use the result of this calculation to compare our later acquistion to. In order to do this, enter the following command in Terminal:
openssl dgst -md5 /dev/disk1 > ~/Desktop/Disk1.md5.txt
Let's break down the above command.
"openssl dgst -md5", that part of the command is the command to execute an "MD5 hash". You have the ability to calculate other hashes as noted above. Simply replace or add the desired types such as "openssl dgst -md5,sha1" in order to obtain both an MD5 and SHA1 of the device.
"/dev/disk1", this is the device or file or folder that we wish to calculate the hash of. Simply replace my example with the path to your desired device or file or folder when you are using this command.
"> ~/Desktop/Disk1.md5.txt", this section of the command redirects the output of the command. By default, you will see the output of the command on your screen. That is not particularly helpful when we usually like recording our results. By using the 'greater than' sign, output is redirected to the file indicated afterwards. In this case, I have specified to redirect the output to the file on my Desktop called "Disk1.md5.txt". I chose this name because it is meaningful to me. If the file already exists, it will be overwritten! Be careful.
Now that we have the hash value of the device, it is safe to acquire it. Let's assume an acquisition with the built-in utility 'dd' from the command line.
dd if=/dev/disk1 of=~/Desktop/Disk1.dd
(We are not exploring acquistion in this article and all of the options for 'dd'.)
Now that the item has been acquired, we want to verified that what we originally had is exactly the same as our digital copy. We need to perform a similar hash of the evidence file that was just obtained.
openssl dgst -md5 ~/Desktop/Disk1.dd >> Disk1.md5.txt
Notice the change in this command!
">>" mean to append the redirect of the output rather than overwrite the file we created earlier. What we wind up with is a text file that contains the hash value of the original device and the hash value of the 'dd' file we just obtained. We we have an exact digital duplicate, the hash values will match.
You can use this method on single files and folders. You can also make a quick text file full of hash files by using the wildcard (asterisk) when listing directories at the command line. There are many uses for this great built-in utility with OS X.
Mac OS X makes verifying physical device acquisition or single file/folder copies easy. Distributed with Snow Leopard (10.6) and Leopard (10.5) is the 'openssl' Terminal command with the ability to conduct many hashes of choice. Taken directly from the MAN page is the following (as applicable to hashing):
Sponsored Advertisement
NAME
openssl - OpenSSL command line tool
COMMAND SUMMARY
dgst Message Digest Calculation.
MESSAGE DIGEST COMMANDS
md2 MD2 Digest
md5 MD5 Digest
mdc2 MDC2 Digest
rmd160 RMD-160 Digest
sha SHA Digest
sha1 SHA-1 Digest
sha224 SHA-224 Digest
sha256 SHA-256 Digest
sha384 SHA-384 Digest
sha512 SHA-512 Digest
We can put this to use with any of our acquisitions. We have used this in our iPod Acquisition already. Conceptually, as the person assigned to acquire data, you want a method to verify what you have gathered has not changed the original device and what is obtained is the same as the original device. In the case of files or folders, you will want to verify that the file or folder is exactly what what contained on the original media. This article acknowledges that utilities exist that will combine hashing and acquisition into a single function saving a considerable amount of time. See our list of Mac Forensic Tools to get a complete list of tools for imaging.
TURN OFF DISK ARBITRATION BEFORE PROCEEDING!
We first need to obtain the hash value of the device that we plan to acquire. We will use the result of this calculation to compare our later acquistion to. In order to do this, enter the following command in Terminal:
openssl dgst -md5 /dev/disk1 > ~/Desktop/Disk1.md5.txt
Let's break down the above command.
"openssl dgst -md5", that part of the command is the command to execute an "MD5 hash". You have the ability to calculate other hashes as noted above. Simply replace or add the desired types such as "openssl dgst -md5,sha1" in order to obtain both an MD5 and SHA1 of the device.
"/dev/disk1", this is the device or file or folder that we wish to calculate the hash of. Simply replace my example with the path to your desired device or file or folder when you are using this command.
"> ~/Desktop/Disk1.md5.txt", this section of the command redirects the output of the command. By default, you will see the output of the command on your screen. That is not particularly helpful when we usually like recording our results. By using the 'greater than' sign, output is redirected to the file indicated afterwards. In this case, I have specified to redirect the output to the file on my Desktop called "Disk1.md5.txt". I chose this name because it is meaningful to me. If the file already exists, it will be overwritten! Be careful.
Now that we have the hash value of the device, it is safe to acquire it. Let's assume an acquisition with the built-in utility 'dd' from the command line.
dd if=/dev/disk1 of=~/Desktop/Disk1.dd
(We are not exploring acquistion in this article and all of the options for 'dd'.)
Now that the item has been acquired, we want to verified that what we originally had is exactly the same as our digital copy. We need to perform a similar hash of the evidence file that was just obtained.
openssl dgst -md5 ~/Desktop/Disk1.dd >> Disk1.md5.txt
Notice the change in this command!
">>" mean to append the redirect of the output rather than overwrite the file we created earlier. What we wind up with is a text file that contains the hash value of the original device and the hash value of the 'dd' file we just obtained. We we have an exact digital duplicate, the hash values will match.
You can use this method on single files and folders. You can also make a quick text file full of hash files by using the wildcard (asterisk) when listing directories at the command line. There are many uses for this great built-in utility with OS X.