hashdeep icon indicating copy to clipboard operation
hashdeep copied to clipboard

Published 20 hours ago verified publisher icon jessek

clarification about the output of hashdeep audit mode

Open meeotch opened this issue 2 years ago • 0 comments

'm trying to understand the output of hashdeep's audit mode. I performed this test (on Ubuntu, and also Windows/cygwin both hashdeep v4.4), via :

  • create a directory "hashtest" with two items: old.txt & changed.txt
  • run hashdeep on it: hashdeep -r -l hashtest/ 2>log.txt 1>hash.txt
  • delete old.txt, and create a new file new.txt
  • change the contents of changed.txt
  • the directory hashtest now contains: one changed file, and one new file, and one file is missing.
  • run hashdeep audit mode: hashdeep -vvv -r -l -a -k hash.txt hashtest/ |& tee check.log

The output is as follows:

hashtest/changed.txt: No match
hashtest/new.txt: No match
hashtest/changed.txt: Known file not used
hashtest/old.txt: Known file not used
hashdeep: Audit failed
   Input files examined: 0
   Known files expecting: 0
   Files matched: 0
   Files partially matched: 0
   Files moved: 0
   New files found: 2
   Known files not found: 2

Here are my questions/assumptions:

  • Input files examined - I'm surprised this is zero. Why not 2?
  • Known files expecting - What does this refer to? How is it different than "Known files not found"?
  • Files matched - This makes sense. No files match known hashes.
  • Files partially matched - Also makes sense, since not running in piecewise mode.
  • Files moved - Also makes sense. No files match known hashes.
  • New files found - changed.txt appears as deleted + new. Which would make sense if filenames are ignored, and only hashes are considered relevant. But the man page seems to imply that audit mode is sensitive to filenames somehow: "-E When in audit mode, performs case insensitive matching of filenames." So are filenames considered, or not?
  • Known files not found - see previous note about changed.txt.

It appears that new files get "No match", deleted files get "Known file not used", and changed files get both. This requires some grepping of the logs to find changed files, which seems weird to me. If filenames are indeed considered, I'd think there'd be a "Changed files" output line.

Can someone set me straight?

meeotch avatar Jun 23 '22 19:06 meeotch