All,
I was wondering if you restore a dd image to a hard drive larger than the suspect image, the hashes will be different of course. Is there any program out there that can modify the HPA and DCO settings on a hard drive to match the size of the suspect image being restored.
I have doubts, but I wanted to see if there is something out there that can do this. The way I would approach this would be to document everything that was done during the restore procedure and indicate why the hashes don't match the forensic image.
Is there any program out there that can modify the HPA and DCO settings on a hard drive to match the size of the suspect image being restored.
Sure, either MHDD or HDAT2 or Victoria would do.
BUt you can do "partial" hash (example)
https://
by piping the exact size of the image to MD5Sum (or whatever program you use, provided it supports piping)
jaclaz
ok so lets say I have a dd image that is 2gb and I restore the image to a hard drive thats 4gb, we both know that the hashes will be different on the restored hard drive.
Please forgive me,but I have never done a partial hash before, I would need to research this from the material you provided.
Why restore the dd as opposed to just mounting it read-only?
ok so lets say I have a dd image that is 2gb and I restore the image to a hard drive thats 4gb, we both know that the hashes will be different on the restored hard drive.
Please forgive me,but I have never done a partial hash before, I would need to research this from the material you provided.
A "dd image" is nothing but a given numbers of sectors.
If you "feed" the MD5 checksum program (presuming that we are talking of MD5) with them, the result will be the same, of course if instead you "feed" it with the "whole" hard disk to which you restored the image, you will have a different hash.
Whether the hashing program you use allows for this, is another thing.
Under windows you can
- use dsfi to write the dd image to disk
- use dsfo (redirecting output to nul) to check that what you have written has the same hash when read (or just use this latter if you know the exact size in bytes of the image)
DSFOK toolkit
http//
Exampledsfi \\.\PhyscalDrive1 0 0 myniceimg.dd
Output will be something likeOK, written 1073741824 bytes at offset 0
dsfo \\.\Physicaldrive1 0 1073741824 NUL
Output will be something likeOK, 1073741824 bytes, 39.510s, MD5 = 786a48c5db7548a6bf34cb945b62ae75
Completely OT 😯 , but not much wink
http//
jaclaz