±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36115
New Yesterday: 0 Visitors: 173

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Hash on drive with errors - procedures for handling

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

ahoog
Member
 

Hash on drive with errors - procedures for handling

Post Posted: Mar 06, 09 20:31

I'm imaging a laptop hard drive that has 5 bad sectors. Because of this, the hash (I happen to be using sha256) of the source device and the forensic image do not match. How do you handle hash signatures when a drive has errors? I see a couple of approaches and would like to see how others deal with it:

1. Hash small chunks during imaging to prove out most of the drive. Hashes for those chunks with errors will not match and well as has for overall file, but can be explained.

2. Don't hash, provide explanation of special case due to drive issues

Thanks for your input. FYI, the command I run is:

dc3dd if=/dev/sde of=/PATH/TO/CLIENT/CASE/tag1-SN/tag1-SN.dc3dd progress=on hash=sha256 hashlog=/PATH/TO/CLIENT/CASE/tag1-SN/tag1-SN/log/tag1-SN.sha256.dc3dd errlog=/PATH/TO/CLIENT/CASE/tag1-SN/tag1-SN/log/tag1-SN.err conv=sync iflag=direct

Even if I have conv=noerror,sync, the hashes still do not match. Thanks.
_________________
Andrew Hoog
viaForensics
viaforensics.com/ 
 
  

neddy
Senior Member
 

Re: Hash on drive with errors - procedures for handling

Post Posted: Mar 09, 09 03:27

If you can acquire a forensic image of the drive with another tool and the resulting image has the same hash value as the first image, then I would think you have attained the best evidence possible.

I would even say that two matching images acquired with the same tool would be good enough.
Anyone repeating your steps should get the same results unless the drive is degrading.
_________________
Neddy
Forensic Computer Analyst (LE)
BSc (Hons)
!(-.-)!~~ 
 
  

ecophobia
Senior Member
 

Re: Hash on drive with errors - procedures for handling

Post Posted: Apr 08, 09 15:36

Another possible option is to use hashconv=after and get hash values after bad sectors are padded with 00.  
 

Page 1 of 1