Using sdhash to search for files in memory or on disk.
In this scenario we have some memory images from the M57 scenario. The chosen images cover five consecutive days. sdhash automatically breaks these memory images into 128mb chunks, as below:
sdbf-dd:03:23:jo-2009-12-03.ram.0896M:132108288:sha1:256:5:7ff:192:8064:16384:38:AABAAJQAAgABCAMoISg...
sdbf-dd:03:23:jo-2009-12-04.ram.0000M:134217728:sha1:256:5:7ff:192:8192:16384:65:EEACBqQQYAGQEBAoAAS...
sdbf-dd:03:23:jo-2009-12-04.ram.0128M:134217728:sha1:256:5:7ff:192:8192:16384:bf:mghyC9xhJ4YA8FYlMKB...
The target machine that these images came from was suspected to be running TrueCrypt, so we can take several versions of TrueCrypt, hash them, and compare them to the memory images in sequence, like so:
% sdhash -c truecrypt.sdbf jo-days.sdbf -t 40 #threshold optional
TrueCrypt-6.3a/truecrypt.sys|jo-2009-12-03.ram.0256M|054
TrueCrypt-6.3a/truecrypt.sys|jo-2009-12-04.ram.0256M|051
TrueCrypt-6.3a/TrueCrypt Format.exe|jo-2009-12-03.ram.0128M|041
TrueCrypt-6.3a/TrueCrypt.exe|jo-2009-12-03.ram.0128M|043
....
Using our set of TrueCrypt binaries from earlier, we can compare the set of installation files, unzipped, and see which parts are common to each other between versions.
% sdhash -c truecrypt.sdbf -t 25
TrueCrypt-6.3a/License.txt|TrueCrypt-7.0a/License.txt|087
TrueCrypt-6.3a/truecrypt.sys|TrueCrypt-7.0a/truecrypt.sys|029
TrueCrypt-5.1a/License.txt|TrueCrypt-5.1a/TrueCrypt.exe|076
TrueCrypt-5.1a/License.txt|TrueCrypt-5.1a/TrueCrypt Format.exe|076
TrueCrypt-5.1a/License.txt|TrueCrypt Setup 5.1a.exe|055
TrueCrypt-5.1a/TrueCrypt.exe|TrueCrypt-5.1a/TrueCrypt Format.exe|037
TrueCrypt-6.3a/TrueCrypt Format.exe|TrueCrypt-6.3a/TrueCrypt.exe|036
TrueCrypt-6.3a/TrueCrypt Format.exe|TrueCrypt-7.0a/TrueCrypt Format.exe|026
TrueCrypt-7.0a/TrueCrypt.exe|TrueCrypt-7.0a/TrueCrypt Format.exe|027
TrueCrypt-7.0a/TrueCrypt Format.exe|TrueCrypt Setup 7.0a.exe|026