...
Figure 1: Nautilus file manager in Ubuntu Linux 12.04
Calculate and Display MD5 Sums
A checksum (of which MD5 sums are one type) is a string of characters produced by an algorithm acting on a file; the checksum is used to validate data integrity, as the algorithm will produce a different checksum if any changes occur to the file in question, making it easy to detect errors that may have been introduced during the file's transmission or storage (e.g. due to physical damage, bit rot, malicious intent, or accidental non-write-protected usage). The sum thus acts as an identifier for the file in its exact current state. You can calculate the sum at a point when you know your file (e.g. a disk image) isn't corrupted or altered, and calculate the sum again at later points in time, comparing the newly calculated sum to the original sum to check that the disk has not been corrupted or altered. See page for more on how checksums work.
- Open Nautilus and navigate to the file or files for which you would like to calculate MD5 sums.
- Choose the desired file or files.
- Right click on any of the file icons and navigate to Scripts > File Analysis > Calculate MD5 (see Figure 2).
- Choose whether you would like the MD5 sum to be displayed or saved (if you have chosen multiple files, the output will be saved by default) (see Figure 3).
- If you chose to save the MD5 sum(s), a file listing each of the MD5's will be generated in your present directory. Otherwise the MD5 sum will be displayed in a window.
Figure 2: Choose "Calculate MD5" in the Nautilus script menu.
Figure 3: Choose to either save or display the MD5 sum output.
Report on file types/file info
File Info
The File Info add-on to Nautilus allows the user to perform a number of file-identifying tasks including gathering metadata, generating ASCII and Unicode streams, and viewing MD5 and SHA1 hash sums. To run File Info:
- Open Nautilus and navigate to the desired file.
- Right click on the file and navigate to Scripts > FileInfo.
- Choose the desired report in the menu. (see Figure 4)
- To close File Info, click the "Cancel" button.
Figure 4: Choose the desired information in the File Info menu.
Show File Details
Show file name, size, blocks, access permissions, and history (see Figure 5).
- Open Nautilus and navigate to the desired file.
- Right click on the file and navigate to Scripts > File Analysis > Show File Details.
Figure 5: Use the Show File Details script to display the file name, size, permissions, and more.
Display a file in hex
- Open Nautilus and navigate to the desired file.
- Right click the file and navigate to Scripts > File Analysis > View in Hexeditor (see Figure 6).
Figure 6: Viewing a file in hex.
Live Search for Files by Name and Content
Search for files by either name or content
- Open the Nautilus file browser
- Right click anywhere within the browser and navigate to Scripts > Find Files (see Figure 7).
- Choose either "Find by Content" or "Find by Name", depending on your search requirements.
- After the find interface opens, type your search terms into the search window (see Figure 8).
Figure 7: Choose which of the Find Files options works best for your search.
Figure 8: Enter your search terms in the appropriate window.
Search for images recursively in the present directory
- Open the Nautilus file browser.
- Navigate to the top of the directory tree you would like to search. (Example: to search for all images in a users home directory, navigate to /home/[username])
- Right click anywhere within Nautilus and navigate to Scripts > Find Files > Find Images (recursively).
- Nautilus will open a new window and create a temp directory with symlinks to all of the images found in the directory/directories you searched.
- Click 'No' when asked if you would like to delete the new temp directory (see Figure 9).
Figure 9: Click 'No' when asked if you would like to delete the temp directory.
Extracting Compressed Files
- Open Nautilus and navigate to the archive you would like to decompress.
- Right click on the file that has been compressed using zip or gzip. Choose 'Open With Archive Manager'. (Note that a compressed file type such as a zip file is often referred to as an 'archive' within the Ubuntu Linux environment and technical communities.)
- A new window will open in which you can either browse the contents or extract them (see Figure 10).
- Left click on the 'Extract' button to extract the contents.
- Navigate to the location to which you would like the files extracted using the navigation window (see Figure 11).
- Left click the 'Extract' button on the bottom right of the window to complete the process.
Figure 10: Either browse or extract the archive in this window.
Figure 11: Navigate to where you would like the file extracted and then click 'Extract'.
Display E01 or AFF Disk Image Metadata
One of the primary benefits to using forensics disk images--as opposed to a raw disk image--is that the metadata created during the imaging process is packaged with the disk image itself. That way, no matter where the disk image is moved, its metadata always travels with it. This Nautilus script allows users to quickly and easily view the forensics metadata associated with either an EnCase (E01) or Advanced Forensics Format (AFF) disk image.
...
Figure 12: Choose either EO1 or AFF depending on the disk image type.
...
Common disk image, file, and metadata handling tasks:
Calculate and Display MD5 Sums
Display a file in Hex editor
Display Disk Image Metadata
Extract Compressed Files
Live Search for Files by Name and Content
Review File Info and File Details
Related articles
| Content by Label | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...