1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
.TH forensics-colorize "1" "Sep 2015" "FORENSICS-COLORIZE 1.1" "show differences between files using color graphics"
.\" Text automatically generated by txt2man
.SH NAME
\fBforensics-colorize \fP- show differences between files using color graphics
\fB
.SH SYNOPSIS
.nf
.fam C
\fBfilecompare\fP [\fB-b\fP size[bkmgpe]] [\fB-Vh\fP] \fIFILE1\fP \fIFILE2\fP
\fBcolorize\fP [\fB-h\fP|\fB-V\fP] [\fB-w\fP <num>] [\fB-ovd\fP] \fIFILES\fP
.fam T
.fi
.fam T
.fi
.SH DESCRIPTION
forensics-\fBcolorize\fP is a set of tools to visually compare large files, as
filesystem images, creating graphics of them. It is intuitive because the
produced graphics provide a quick and perfect sense about the percentage
of changes between two files.
.PP
Comparing large textual files using a simple diff can produce a very big
result in lines, causing confusion. On the other hand, diff is improper
to compare binary files.
.PP
forensics-\fBcolorize\fP uses two command line programs: \fBfilecompare\fP and \fBcolorize\fP.
The \fBfilecompare\fP command is used to create a special and auxiliary input
file for \fBcolorize\fP. The \fBcolorize\fP command will generate an intuitive graphic
that will make easier to perceive the level of changes between the files. In
other words, you can use the \fBfilecompare\fP command to generate a graphic to be
analyzed by \fBcolorize\fP command.
.SH OPTIONS FOR FILECOMPARE
.TP
.B
\fB-b\fP
Set block size with optional suffix b, k, m, g, p, or e. Note that the
program will output at least one complete block. Make sure that you have
enough disk space!
.TP
.B
\fB-t\fP
Use transitional colors instead of default red or green.
.TP
.B
\fB-V\fP
Display version number and exit.
.TP
.B
\fB-h\fP
Display this help message.
.SH OPTIONS FOR COLORIZE
.TP
.B
\fB-d\fP
Change direction data flows. Default is down or right.
.TP
.B
\fB-o\fP
Change image orientation. Default is vertical.
.TP
.B
\fB-v\fP
Verbose mode.
.TP
.B
\fB-w\fP
Set output image width, defaults to 100.
.TP
.B
\fB-V\fP
Display version number and exit.
.TP
.B
\fB-h\fP
Display this help message and exit.
.SH EXAMPLES
To generate an initial graphic between 'test1' and 'test2' files to be
analyzed by \fBcolorize\fP:
.PP
.nf
.fam C
$ filecompare test1 test2 > test.fc
.fam T
.fi
To analyze the result:
.PP
.nf
.fam C
$ colorize test.fc
.fam T
.fi
The last command will generate the test.fc.bmp file. You can open it using a
trivial image viewer, as sxiv or similar. If using default parameters for the
both commands (\fBfilecompare\fP and \fBcolorize\fP), unchanged parts will be shown as
green and changed parts will be colorized with red.
.PP
To get larger or smaller final graphics, use the \fB-b\fP option for the '\fBfilecompare\fP'
command. As an example, the following command will produce a result greater than
the default:
.PP
.nf
.fam C
$ filecompare -b 64 test1 test2 > test.fc
.fam T
.fi
.SH NOTE
In most cases, the default block size is the same of the logical disk sector
value (now a days, 512 bytes). Try 'fdisk \fB-l\fP' or 'gdisk \fB-l\fP /dev/<disk>' to
find the right value.
.SH AUTHOR
The forensics-\fBcolorize\fP was written by Jesse Kornblum <research@jessekornblum.com>.
.PP
This manual page was written by Joao Eriberto Mota Filho <eriberto@debian.org>
for the Debian project (but may be used by others).
|
