Wednesday, March 10, 2010


I had a friend of mine tell me about his new Blog. TecRoc is a fellow OSCP, and has an excellent write up about Windows Stack Based Buffer overflows. Check out his blog for some great information.

TecRoc Rocks!

Wednesday, March 3, 2010

Some more with Disk Duplicator

The objective of this exercise was to check the md5 sum of the files contained in the image after they have been altered. This is a simple example of how the slightest change in the file can alter the md5 hash. The real lesson is that when you are taking an image of a file or a drive the smallest change can affect the file. So you need to be sure that in your investigation you only work with a copy of the original. NOT the original.

I used md5deep.exe to verify the two files on my image thumb drive.

C:\MSDOS-Tools>md5deep.exe L:\cute.jpg
5fccb53e44d96cdaaa423a372f3f3d30 L:\cute.jpg

C:\MSDOS-Tools>md5deep.exe L:\white.gif
669e44cf64f3bccf8ab5f8853442c235 L:\white.gif

Next I opened the cute.jpg file and cropped the picture and saved the file upon closing it. I verified the md5 of the file and it is different than the original.

C:\MSDOS-Tools>md5deep.exe L:\cute.jpg
e5a6766cf16d7d9467b9dee0034f27d9 L:\cute.jpg

For the file white.gif I rotated the picture 180 degrees. This just turned the picture upside down. I next re-ran the md5.

C:\MSDOS-Tools>md5deep.exe L:\white.gif
fce003a37516a5675be3f4446ca67297 L:\white.gif

Something I found interesting is that I checked the original image file md5 and created a new image file and the md5 sums where the same

C:\MSDOS-Tools>md5deep.exe C:\Users\Spl0it_Root\assignment1.001
9c60f52259fe7f7dc8aef64e9b68ffec C:\assignment1.001

C:\MSDOS-Tools>md5deep.exe C:\Users\Spl0it_Root\assignment1.002
9c60f52259fe7f7dc8aef64e9b68ffec C:\assignment1.002

This is the outcome that I would have expected. However I deleted the file assignment1.002 simply because I wanted to name the file assignment2.001 and when I connected to the file with Windows Explorer and then copied the file over the md5 sums where different.

This is an important item to note. The OS will modify the files when you access them. So if you are gathering data you need to ensure that you use write blocker on the drive that you are investigating.

C:\MSDOS-Tools>dd if=\\.\L: of=\Assignment2.001
rawwrite dd for windows version 0.4beta4.
Written by John Newbigin
This program is covered by the GPL. See copying.txt for details
2880+0 records in
2880+0 records out

C:\MSDOS-Tools>md5deep.exe C:\assignment2.001
d199c910c882386531e97b097903b83d C:\assignment2.001

C:\MSDOS-Tools>md5deep.exe C:\assignment1.001
9c60f52259fe7f7dc8aef64e9b68ffec C:\assignment1.001

Finally I used dd to create a new image of the thumb drive with the altered pictures.

C:\MSDOS-Tools>md5deep.exe C:\Assignment1.001
9c60f52259fe7f7dc8aef64e9b68ffec C:\Assignment1.001

C:\MSDOS-Tools>md5deep.exe C:\Assignment2.001
0bf95d4f4247692074df148d40d56e88 C:\Assignment2.001