SANS Digital Forensics and Incident Response Blog

You will be hacked, will you be prepared?

"Hope for the best, prepare for the worst." — English proverb

"Before anything else, preparation is the key to success." — Alexander Graham Bell

Forensic analysts and the organizations employing them can simplify and expedite the forensic analysis process with preparation. If you accept that system compromise is a matter of when not if, then prepare your systems in advance for forensic analysis.

Before moving systems into production, grab a copy of Jesse Kornblum's MD5Deep from and create MD5 checksums of all the files on the system. Have your desktop folks incorporate this into their image building process. If you're really diligent, update your hashes after applying patches.

Astute readers will say, "I can download known hashes from NIST's National Software Reference Library ( Why create my own?" NSRL is an amazing resource, but their collection contains millions of hashes and most of them will not pertain to your environment.

Taking advantage of your hash file requires using hfind from Brian Carrier, available from, to create an index of the MD5 file. When a system based on your image is compromised, run Carrier's sorter utility using your hash file and its index file against a copy of the system's image. Sorter will exclude all the known-good files that match your original system image.

Here's sample syntax:

sorter —h —x devbox.std_img.md5 —d ./sorter_results —m / hacked_devbox_sda1.img

sorter command with verbose outputsorter command with verbose output

This sorter command produces html output (-h), excludes (-x) any file with an MD5 sum matching one found in devbox.std_img.md5, saves results to the existing sorter_results directory (-d) and finally processes hacked_devbox_sda1.img. The —m flag specifies the mount point for the partition image being processed. In this case, the image was mounted at / so all files in our report will have path information relative to that. For Windows images, provide a drive letter (i.e. —m C:).

In our example the devbox partition contained 40945 files as reported by sorter. Our devbox.std_img.md5 file contained MD5 hashes for 40340 files. Sorter reduced the amount of data we need to investigate from 40K plus files to 605.

Commercial applications have similar capabilities. Consult your product's documentation for details.

Remember, preparation is the first phase of incident handling. Maintaining MD5s of the standard images your organization deploys is an easy step you can take that will save you hours or days when the inevitable happens.

Dave Hull, GCFA Silver #3368, is an aspiring maker and technologist specializing in information security. He is the principal consultant and founder of Trusted Signal.