Sniff
A tool for investigating file systems and folder contents and their changes.
Sniff can
- create snapshots of file systems and folders, storing hashes and metadata.
- compare two snapshots, looking at the changes between them.
- list files and look at metadata in a snapshot.
- aggregate data from multiple snapshots into a database.
- compare the database to a snapshot to see which files have never been seen.
Building
Run
cargo build --release
using a current nightly Rust release.
The resulting binary will be in target/release/sniff
.
Running
Run
sniff --help
for a list of available subcommands and options.
Creating a snapshot
To create a snapshot of a VDI image, run something like the following:
sniff create-snapshot /path/to/image.vdi /output/folder
Note that for VDI support the command vboximg-mount
needs to be installed. Also currently the contained file system is a assumed to be NTFS and thus ntfs-3g
also needs to be installed.
Optionally you may wish to record hashes and paths in the snapshot in a database file, you can do so using the following options: -D /path/to/database/file.sqlite --comment "image description"
.
If you want to record a snapshot of a folder that is already mounted, you can simply point to that folder instead:
sniff create-snapshot /path/to/folder/of/interest /output/folder
Looking through a snapshot and comparing snapshots
The main subcommand that is useful here is
sniff ls /path/to/snapshot /path/to/folder/in/snapshot
To compare how a folder changed in snapshots, use the -c /path/to/other/snapshot
option.
To not show too much information at once, you can limit the depths of directories which are traversed with the -d
option.
Another useful option is -o /path/to/output/image.png
, that generates a visualization of the target folder in the snapshot.
To learn more about the other possible options use the --help
flag.
Example usage
sniff ls ~/snapshots/my_system.snp -c ~/snapshots/my_system_later.snp /Windows -o ~/diff.png -d2 -e dll,exe -u
The above command compares the Windows
folder (note the use of /
instead of \
) in the given snapshot with a later snapshot of the same system, taking into account the database of known files. It will display only dll and exe files and it will only look two directories deep, after which it will just summarize how many files would have been shown. Changed, added or removed files will be highlighted, but unchanged files will also be shown.
Also a visual representation of the differences will be generated in ~/diff.png
. The added files will be displayed in blue, the removed files in red and the changed files in yellow. All unchanged dll files will be displayed in cyan and all unchanged exe files will be displayed in green. Other unchanged files will be displayed in grey.
sniff ls ~/snapshots/my_system.snp -D ~/snapshot_db.sqlite / -o ~/summary.png -d1 -A 2022-12 -B 2023
The above command summarizes how many "unknown" files that were either accessed, modified or created in December of 2022 are in each top level folder in the snapshot.
Also a visual representation of the file system will be generated in ~/summary.png
, highlighting the known files in white and the other files in grey.
sniff ls ~/snapshots/my_system.snp /path/to/some/file
Displays every piece of information available on the given file in detail, including hashes, the first bytes and metadata. The same is possible for folders as seen below.
sniff ls ~/snapshots/my_system.snp /path/to/some/folder -d0
Displays every piece of information (except for the content of the folder) available on the given folder in detail.
Things to watch out for
- Sniff is still in the prototyping stage and thus breaking changes may occur at any time (though care will be taken to always be able to read old snapshots).
- Sniff was primarily designed to observe Windows systems stored on NTFS, but through later additions it can also work well on any UNIX system.
- Sniff in its current design can only be compiled for UNIX systems. Eventually support for other systems may be possible, but a good solution for different representations of paths on different platforms needs to be found.
- Keep in mind that if you want to look at a whole file system, a lot of data is being generated and hashed. While sniff tries to be fast and efficient, it was not designed with weak hardware in mind, so a decently performant system is recommended.
Naming
Sniff stands for SNapshot creation and dIFFerence calculation, it used to be called SNapdIFF in earlier iterations.