A tool for investigating file system and folder contents and their changes.

Related tags

Utilities sniff
Overview

Sniff

A tool for investigating file systems and folder contents and their changes.

Sniff can

  • create snapshots of file systems and folders, storing hashes and metadata.
  • compare two snapshots, looking at the changes between them.
  • list files and look at metadata in a snapshot.
  • aggregate data from multiple snapshots into a database.
  • compare the database to a snapshot to see which files have never been seen.

Building

Run

cargo build --release

using a current nightly Rust release.

The resulting binary will be in target/release/sniff.

Running

Run

sniff --help

for a list of available subcommands and options.

Creating a snapshot

To create a snapshot of a VDI image, run something like the following:

sniff create-snapshot /path/to/image.vdi /output/folder

Note that for VDI support the command vboximg-mount needs to be installed. Also currently the contained file system is a assumed to be NTFS and thus ntfs-3g also needs to be installed.

Optionally you may wish to record hashes and paths in the snapshot in a database file, you can do so using the following options: -D /path/to/database/file.sqlite --comment "image description".

If you want to record a snapshot of a folder that is already mounted, you can simply point to that folder instead:

sniff create-snapshot /path/to/folder/of/interest /output/folder

Looking through a snapshot and comparing snapshots

The main subcommand that is useful here is

sniff ls /path/to/snapshot /path/to/folder/in/snapshot

To compare how a folder changed in snapshots, use the -c /path/to/other/snapshot option.

To not show too much information at once, you can limit the depths of directories which are traversed with the -d option.

Another useful option is -o /path/to/output/image.png, that generates a visualization of the target folder in the snapshot.

To learn more about the other possible options use the --help flag.

Example usage

sniff ls ~/snapshots/my_system.snp -c ~/snapshots/my_system_later.snp /Windows -o ~/diff.png -d2 -e dll,exe -u

The above command compares the Windows folder (note the use of / instead of \) in the given snapshot with a later snapshot of the same system, taking into account the database of known files. It will display only dll and exe files and it will only look two directories deep, after which it will just summarize how many files would have been shown. Changed, added or removed files will be highlighted, but unchanged files will also be shown.

Also a visual representation of the differences will be generated in ~/diff.png. The added files will be displayed in blue, the removed files in red and the changed files in yellow. All unchanged dll files will be displayed in cyan and all unchanged exe files will be displayed in green. Other unchanged files will be displayed in grey.

sniff ls ~/snapshots/my_system.snp -D ~/snapshot_db.sqlite / -o ~/summary.png -d1 -A 2022-12 -B 2023

The above command summarizes how many "unknown" files that were either accessed, modified or created in December of 2022 are in each top level folder in the snapshot.

Also a visual representation of the file system will be generated in ~/summary.png, highlighting the known files in white and the other files in grey.

sniff ls ~/snapshots/my_system.snp /path/to/some/file

Displays every piece of information available on the given file in detail, including hashes, the first bytes and metadata. The same is possible for folders as seen below.

sniff ls ~/snapshots/my_system.snp /path/to/some/folder -d0

Displays every piece of information (except for the content of the folder) available on the given folder in detail.

Things to watch out for

  • Sniff is still in the prototyping stage and thus breaking changes may occur at any time (though care will be taken to always be able to read old snapshots).
  • Sniff was primarily designed to observe Windows systems stored on NTFS, but through later additions it can also work well on any UNIX system.
  • Sniff in its current design can only be compiled for UNIX systems. Eventually support for other systems may be possible, but a good solution for different representations of paths on different platforms needs to be found.
  • Keep in mind that if you want to look at a whole file system, a lot of data is being generated and hashed. While sniff tries to be fast and efficient, it was not designed with weak hardware in mind, so a decently performant system is recommended.

Naming

Sniff stands for SNapshot creation and dIFFerence calculation, it used to be called SNapdIFF in earlier iterations.

You might also like...
Ecstasy - a subjective experience of total involvement of the subject, with an object of their awareness.

Ecstasy (from Ancient Greek ἔκστασις ékstasis, meaning 'outside of oneself') is a subjective experience of total involvement of the subject, with an object of their awareness. In classical Greek literature it refers to removal of the mind or body "from its normal place of function."

A tool that generates a Sublime Text project file that helps you get started using Scoggle.

README A tool that generates a Sublime Text project file that helps you get started using Scoggle. While Scoggle-Gen may not find every single source

Rust library to scan files and expand multi-file crates source code as a single tree

syn-file-expand This library allows you to load full source code of multi-file crates into a single syn::File. Features: Based on syn crate. Handling

A stupidly simple and easy to self-host, personal server for file hosting on the web
A stupidly simple and easy to self-host, personal server for file hosting on the web

Grasswave CDN A stupidly simple and easy to self-host, personal server for file hosting on the web. Written in Rust. Thanks, @Maciejowski, for the sty

Fast file explorer written with Tauri and React.
Fast file explorer written with Tauri and React.

Fast File Explorer This is a fast file explorer written in Rust. After testing on my C drive, this file explorer was able to find a file in 280ms. In

bevy_blender is a Bevy library that allows you to use assets created in Blender directly from the .blend file
bevy_blender is a Bevy library that allows you to use assets created in Blender directly from the .blend file

bevy_blender bevy_blender is a Bevy library that allows you to use assets created in Blender directly from the .blend file.

Generate a THIRDPARTY file with all licenses in a cargo project.

cargo-bundle-licenses Bundle all third-party licenses into a single file. NOTE This tools is not a lawyer and no guarantee of correctness can be made

File Tree Fuzzer allows you to create a pseudo-random directory hierarchy filled with some number of files.

FTZZ File Tree Fuzzer allows you to create a pseudo-random directory hierarchy filled with some number of files. Installation $ cargo +nightly install

single file, std only, async Rust executor

whorl - A single file, std only, async Rust executor whorl was created to teach you how async executors work in Rust. It is not the fastest executor n

Owner
Niclas Schwarzlose
Niclas Schwarzlose
The system for remote workers to prevent their family members from interrupting conference calls

onair The system for remote workers to prevent their family members from interrupting conference calls. The system is designed to automatically detect

Yushi OMOTE 6 Sep 21, 2022
This plugin provides an interface for storing unencrypted values on the application cache folder.

Tauri Plugin Store This plugin provides an interface for storing unencrypted values on the application cache folder. Architecture This repo shape migh

Tauri 128 Jan 1, 2023
Backup a folder to AWS S3, once or periodically

awsbck This utility lets you compress a folder and upload it to a AWS S3 bucket, once or periodically. Disclaimer This software is in a beta stage and

Valentin Bersier 4 Feb 11, 2023
💫 Small microservice to handle state changes of Kubernetes pods and post them to Instatus or Statuspages

?? Kanata Small microservice to handle state changes of Kubernetes pods and post to Instatus ?? Why? I don't really want to implement and repeat code

Noel ʕ •ᴥ•ʔ 4 Mar 4, 2022
Watches changes in a rust project, runs test and shows friendly notification

Cargo testify Automatically runs tests on your Rust project and notifies about the result. Install Install prerequisites (for Debian/Ubuntu): apt-get

Sergey Potapov 77 May 16, 2022
Generate commit messages using GPT3 based on your changes and commit history.

Commit Generate commit messages using GPT-3 based on your changes and commit history. Install You need Rust and Cargo installed on your machine. See t

Brian Le 40 Jan 3, 2023
messloc is a drop in replacement for malloc that can transparently recover from memory fragmentation without any changes to application code.

messloc is a drop in replacement for malloc that can transparently recover from memory fragmentation without any changes to application code. Goals Al

null 11 Dec 10, 2022
Rust program to monitor Windows 10 Registry keys for changes or modifications.

RegMon This Rust program monitors changes to multiple registry keys in Windows 10 and writes the changes to a text file. It also periodically sends a

0x44F 3 Jan 16, 2023
Rust wrapper for the Google Places API. Access their hundreds of millions of places, reviews, and ratings.

Google Places API Working Examples cargo run --example nearby_search cargo run --example place_details cargo run --example find_place cargo run --exam

Jared Ucherek 4 Jun 12, 2023
An efficient method of heaplessly converting numbers into their string representations, storing the representation within a reusable byte array.

NumToA #![no_std] Compatible with Zero Heap Allocations The standard library provides a convenient method of converting numbers into strings, but thes

Michael Murphy 42 Sep 6, 2022