restoring dd image ...
 
Notifications
Clear all

restoring dd image to a larger hard drive

5 Posts
3 Users
0 Likes
650 Views
(@taurean25)
Posts: 62
Trusted Member
Topic starter
 

All,

I was wondering if you restore a dd image to a hard drive larger than the suspect image, the hashes will be different of course. Is there any program out there that can modify the HPA and DCO settings on a hard drive to match the size of the suspect image being restored.

I have doubts, but I wanted to see if there is something out there that can do this. The way I would approach this would be to document everything that was done during the restore procedure and indicate why the hashes don't match the forensic image.

 
Posted : 25/09/2012 10:22 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Is there any program out there that can modify the HPA and DCO settings on a hard drive to match the size of the suspect image being restored.

Sure, either MHDD or HDAT2 or Victoria would do.
BUt you can do "partial" hash (example)
https://help.ubuntu.com/community/HowToMD5SUM
by piping the exact size of the image to MD5Sum (or whatever program you use, provided it supports piping)

jaclaz

 
Posted : 25/09/2012 10:36 pm
(@taurean25)
Posts: 62
Trusted Member
Topic starter
 

ok so lets say I have a dd image that is 2gb and I restore the image to a hard drive thats 4gb, we both know that the hashes will be different on the restored hard drive.

Please forgive me,but I have never done a partial hash before, I would need to research this from the material you provided.

 
Posted : 25/09/2012 11:01 pm
(@bithead)
Posts: 1206
Noble Member
 

Why restore the dd as opposed to just mounting it read-only?

 
Posted : 26/09/2012 2:55 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

ok so lets say I have a dd image that is 2gb and I restore the image to a hard drive thats 4gb, we both know that the hashes will be different on the restored hard drive.

Please forgive me,but I have never done a partial hash before, I would need to research this from the material you provided.

A "dd image" is nothing but a given numbers of sectors.
If you "feed" the MD5 checksum program (presuming that we are talking of MD5) with them, the result will be the same, of course if instead you "feed" it with the "whole" hard disk to which you restored the image, you will have a different hash.
Whether the hashing program you use allows for this, is another thing.

Under windows you can

  • use dsfi to write the dd image to disk
  • use dsfo (redirecting output to nul) to check that what you have written has the same hash when read (or just use this latter if you know the exact size in bytes of the image)

DSFOK toolkit
http//members.ozemail.com.au/~nulifetv/freezip/freeware/

Example
dsfi \\.\PhyscalDrive1 0 0 myniceimg.ddOutput will be something like
OK, written 1073741824 bytes at offset 0
dsfo \\.\Physicaldrive1 0 1073741824 NULOutput will be something like
OK, 1073741824 bytes, 39.510s, MD5 = 786a48c5db7548a6bf34cb945b62ae75
Completely OT 😯 , but not much wink
http//reboot.pro/15207/

jaclaz

 
Posted : 26/09/2012 3:32 pm
Share: