Displaying 2 results from an estimated 2 matches for "dfrws2012".
2013 Nov 22
0
Re: Auditing a vm image - virt-diff - was: Read MBR and store in a file?
...s,
including libmagic and checksums). The tool "idifference" compares file
system states and enumerates differences, using the Digital Forensics XML
output from Fiwalk.
A research publication on the forensic differencing process and idifference
is here:
http://dfrws.org/2012/proceedings/DFRWS2012-6.pdf
Fiwalk is a component of The SleuthKit, here:
https://github.com/sleuthkit/sleuthkit
If you wish to use Fiwalk on your images, you should convert any of your
disk images to a raw image or Expert Witness Format.
Actually, I don't suppose qemu-img has a FUSE-like wrapper that exposes the
u...
2013 Nov 22
5
Auditing a vm image - virt-diff - was: Read MBR and store in a file?
Thank you all for your suggestions!
Richard W.M. Jones:
> I keep meaning to write a comprehensive "virt-diff" tool. I needed it
> myself just yesterday.
Most interesting. I guess there are two reasons for creating such a
tool: just compare the images (show the diff) and/or check for malicious
additions in the other image.
Did you consider implementing the former or both?
Do