I've run into something and I've been researching for a while, but haven't come up with anything specifically useful yet. I'm imaging a CD-Rom. Using FTK Imager 2.3 I verify the drive initially to get the 'original media' hash value. Then, using FTK imager I right click on the evidence I've already brought in (D\) and click "Create Disk Image". All the details are then entered in and the disk image is created successfully. When I add the 'image' evidence into FTK imager and verify the image, the hash value doesn't match the original hash value of the D drive.
Am I missing something here? Is the media corrupt or am I? Thanks for any help.
Just a guess, but itn't the difference in hash values because of the difference in file formats (CDFS vs NTFS or FAT)?
I think you will find that the hash of the 'contents' of a CDROM will not be the same as the hash value of the resulting image file. Writing this from a mobile so can't expand easily.
Drop a line to support@accessdata.com they are always very helpful.
Nick
Unless I am mistaken FTK reads the media type data also. If this is true then unless you used the exact same media type the 2 CDs would have a different hash. My test show that if I check the hashes with CDR Inspector they are the same. Maybe someone here can confirm if I am correct or not.
It ended up being corrupt media.