Wednesday, January 28, 2009

Hash of a CD

Recently I had to see if two CDs were identical. I had the hash value of the iso for the desired content so I decided to check the hash for both CDs. There is really not that much to this post, but just in case someone ever needs to know how to do this I'll give you the command line how-to.

In my case, md5sum /dev/cdrom did not work. Now there is no reason to copy the CD to an iso file in order to do this. You can just use dd and pipe the output into md5sum or sha1sum.

I found that just doing a straight dd without extra options did not work. So you should use isoinfo to get the logical block size and the volume size to feed to dd (bs="Logical block size" and count="Volume size"). I decided to put this all into a bash script you can find here. The code is shown below:

INFO=`isoinfo -d -i /dev/cdrom \
|awk '{ if ($1 ~ /Volume/ && $2 ~ /size/ ) print $4; \
else if ($1 ~ /Logical/ && $2 ~ /block/ && $3 ~ /size/) \
print $5 endif }'`


echo "Logical block size: ${INFO[0]}"
echo "Volume size: ${INFO[1]}"
echo "Now executing: "
echo "dd if=/dev/cdrom bs=${INFO[0]} count=${INFO[1]} conv=notrunc,noerror,sync | md5sum"

dd if=/dev/cdrom bs=${INFO[0]} count=${INFO[1]} \
conv=notrunc,noerror,sync | md5sum

It's not the most beautiful solution, but there it is. This uses md5, for other hashes just modify the script as needed. Also if your CD device is not /dev/cdrom modify that as well.

Thursday, January 15, 2009

Practitioner's Guide to Capturing and Analysis of RAM

This is a late post, but I've been busy... I learned about this video from Moyix on the Volatility irc channel (#volatility on freenode). It's nice that people like vol2html. It encourages me to add more to it...

There's more info here if you are interested. I'm glad to see that memory analysis is getting more visibility. Cool stuff! Enjoy!

Dale Beauchamp - DojoSec January 2009 from Marcus Carey on Vimeo.

Sunday, January 11, 2009 update

I made a small update to Since there are a lot of html files being generated, I thought it might be nice to allow the user to specify an output directory. So there is an extra (optional) option:

-D <output_dir>

if you want to print all html files to the another directory. If the directory does not exist, it is created. The script currently does not check if files exist in this directory and will clobber any files with the same name.

I have also added some more information about the open files. You can now see all processes that have the same open files and how many times each process has a file open. To do this, click on the process of interest and click open files. Each file name is linked to a report, which contain a list of all processes (by pid) that have the file open and how many times that process has the file open. There is a link to each pid as well.

Also new there is a link to the index.html file at the end of each report.

Since my website is down for now, you can get the updated script here. (updated 1/11/09 and moved from google code which was messing up some things)

Hopefully this is helpful.

Another update: Here's a second report to look at.

The venus website is down so if you need to download vol2html you can get it from the new Google code page

Still more to come....

Tuesday, January 06, 2009

OT: Twitter

So I finally broke down and created a Twitter account recently. It started when I began watching a few people on Twitter. They often had very interesting Tweets related to my interests. After a while I realized that it would be easier to keep up with these Tweets by following these people with my own Twitter account.

Now, the reason I haven't had one up to this point was mostly because I was afraid of the privacy issues. While teaching undergraduate classes I have often been asked if I have a Facebook, Myspace, Twitter (or whatever) account so that students could ``befriend'' me. Till now I have abstained from these types of accounts mostly to avoid these types of student/teacher online friendships. Not that I dislike my students (I don't), but I just figured it might get uncomfortable at some point.

I am wondering if others have struggled with this issue. I know there are some people on Twitter who teach classes like me...

I have made my Tweets private for now to make sure that I know who is following me (but can you ever *really* know?). I know this is probably not the most favorable setup, but it makes me feel somewhat better that my inconsequential Tweets are not just openly exposed to everyone.

The people on Twitter are cool and information they give rocks. So far I am really enjoying it :-)