'm trying to understand the output of hashdeep's audit mode. I performed this test (on Ubuntu, and also Windows/cygwin both hashdeep v4.4), via :
create a directory "hashtest" with two items: old.txt & changed.txt
run hashdeep on it: hashdeep -r -l hashtest/ 2>log.txt 1>hash.txt
delete old.txt, and create a new file new.txt
change the contents of changed.txt
the directory hashtest now contains: one changed file, and one new file, and one file is missing.
run hashdeep audit mode: hashdeep -vvv -r -l -a -k hash.txt hashtest/ |& tee check.log
The output is as follows:
hashtest/changed.txt: No match
hashtest/new.txt: No match
hashtest/changed.txt: Known file not used
hashtest/old.txt: Known file not used
hashdeep: Audit failed
Input files examined: 0
Known files expecting: 0
Files matched: 0
Files partially matched: 0
Files moved: 0
New files found: 2
Known files not found: 2
Here are my questions/assumptions:
Input files examined - I'm surprised this is zero. Why not 2?
Known files expecting - What does this refer to? How is it different than "Known files not found"?
Files matched - This makes sense. No files match known hashes.
Files partially matched - Also makes sense, since not running in piecewise mode.
Files moved - Also makes sense. No files match known hashes.
New files found - changed.txt appears as deleted + new. Which would make sense if filenames are ignored, and only hashes are considered relevant. But the man page seems to imply that audit mode is sensitive to filenames somehow: "-E When in audit mode, performs case insensitive matching of filenames." So are filenames considered, or not?
Known files not found - see previous note about changed.txt.
It appears that new files get "No match", deleted files get "Known file not used", and changed files get both. This requires some grepping of the logs to find changed files, which seems weird to me. If filenames are indeed considered, I'd think there'd be a "Changed files" output line.
'm trying to understand the output of hashdeep's audit mode. I performed this test (on Ubuntu, and also Windows/cygwin both hashdeep v4.4), via :
The output is as follows:
Here are my questions/assumptions:
It appears that new files get "No match", deleted files get "Known file not used", and changed files get both. This requires some grepping of the logs to find changed files, which seems weird to me. If filenames are indeed considered, I'd think there'd be a "Changed files" output line.
Can someone set me straight?