# Case studies¶

## Files vs. dumps¶

Using sdhash to search for files in memory or on disk.

In this scenario we have some memory images from the M57 scenario. The chosen images cover five consecutive days. sdhash automatically breaks these memory images into 128mb chunks, as below:

sdbf-dd:03:23:jo-2009-12-03.ram.0896M:132108288:sha1:256:5:7ff:192:8064:16384:38:AABAAJQAAgABCAMoISg...
sdbf-dd:03:23:jo-2009-12-04.ram.0000M:134217728:sha1:256:5:7ff:192:8192:16384:65:EEACBqQQYAGQEBAoAAS...
sdbf-dd:03:23:jo-2009-12-04.ram.0128M:134217728:sha1:256:5:7ff:192:8192:16384:bf:mghyC9xhJ4YA8FYlMKB...

The target machine that these images came from was suspected to be running TrueCrypt, so we can take several versions of TrueCrypt, hash them, and compare them to the memory images in sequence, like so:

% sdhash -c truecrypt.sdbf jo-days.sdbf -t 40   #threshold optional
TrueCrypt-6.3a/truecrypt.sys|jo-2009-12-03.ram.0256M|054
TrueCrypt-6.3a/truecrypt.sys|jo-2009-12-04.ram.0256M|051
TrueCrypt-6.3a/TrueCrypt Format.exe|jo-2009-12-03.ram.0128M|041
TrueCrypt-6.3a/TrueCrypt.exe|jo-2009-12-03.ram.0128M|043
....

## Files vs. files¶

Using our set of TrueCrypt binaries from earlier, we can compare the set of installation files, unzipped, and see which parts are common to each other between versions.

% sdhash -c truecrypt.sdbf -t 25
TrueCrypt-7.0a/TrueCrypt Format.exe|TrueCrypt Setup 7.0a.exe|026