My doubt is the following
I have a multi-partition SATA HDD and I want to obtain the SHA-1 hash with my TD2u. The obtained hash is given for both partitions or for the first one? I certainly believe it calculates the hash for the whole drive but I would like you to confirm it.
Thanks!
My doubt is the following
I have a multi-partition SATA HDD and I want to obtain the SHA-1 hash with my TD2u. The obtained hash is given for both partitions or for the first one? I certainly believe it calculates the hash for the whole drive but I would like you to confirm it.
Thanks!
I know it is confusing, but there is a common misunderstanding in the terms used.
The "whole thing" is a hard disk drive (object \\.\PhysicalDrive) is a DISK (think of diskpart, disk manager)
The objects inside a DISK are Volumes.
The object that gets a drive letter is a volume (object \\.\Logicaldrive).
A volume can be (almost) exactly the same as the partition (if the partition is primary).
It depends on how the Author of a given tool "thinks" of the object, in the case of a NTFS formatted volume the volume is always one sector smaller than the partition (because the last sector, outside the filesystem but inside the partition area) is the $BootMirr (i.e. a copy of the first sector of the $Boot or botsector or PBR/VBR).
JFYI, additionally there may be a few sectors inside the volume but outside the filesystem, see
http//www.forensicfocus.com/Forums/viewtopic/t=9374/
Normally you image (and thus hash) the "whole thing", the "device", i.e. the hard disk drive from first to last sector accessible of the whole device.
jaclaz
If you reference page 31 of the
My doubt is the following
I have a multi-partition SATA HDD and I want to obtain the SHA-1 hash with my TD2u. The obtained hash is given for both partitions or for the first one? I certainly believe it calculates the hash for the whole drive but I would like you to confirm it.
Thanks!
I know it is confusing, but there is a common misunderstanding in the terms used.
The "whole thing" is a hard disk drive (object \\.\PhysicalDrive) is a DISK (think of diskpart, disk manager)
The objects inside a DISK are Volumes.
The object that gets a drive letter is a volume (object \\.\Logicaldrive).A volume can be (almost) exactly the same as the partition (if the partition is primary).
It depends on how the Author of a given tool "thinks" of the object, in the case of a NTFS formatted volume the volume is always one sector smaller than the partition (because the last sector, outside the filesystem but inside the partition area) is the $BootMirr (i.e. a copy of the first sector of the $Boot or botsector or PBR/VBR).
JFYI, additionally there may be a few sectors inside the volume but outside the filesystem, see
http//www.forensicfocus.com/Forums/viewtopic/t=9374/Normally you image (and thus hash) the "whole thing", the "device", i.e. the hard disk drive from first to last sector accessible of the whole device.
jaclaz
Thank you.
So the answer is… it hashes the whole disk, isn't it?
Thank you.
So the answer is… it hashes the whole disk, isn't it?
Yep ) , to be picky, it hashes EXACTLY *whatever* is transferred through it or for which a "simulated" transfer (i.e. the hashing) is done, and the only "object" you can select for imaging/cloning or hashing is the "whole disk", actually including (if any) the HPA which is disabled automatically (without altering the "source" disk).
jaclaz