Hashing a multi-par...
 
Notifications
Clear all

Hashing a multi-partition hard drive with a TD2u

5 Posts
3 Users
0 Likes
1,006 Views
(@skywalker)
Posts: 152
Reputable Member
Topic starter
 

My doubt is the following

I have a multi-partition SATA HDD and I want to obtain the SHA-1 hash with my TD2u. The obtained hash is given for both partitions or for the first one? I certainly believe it calculates the hash for the whole drive but I would like you to confirm it.

Thanks!

 
Posted : 16/04/2015 8:28 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

My doubt is the following

I have a multi-partition SATA HDD and I want to obtain the SHA-1 hash with my TD2u. The obtained hash is given for both partitions or for the first one? I certainly believe it calculates the hash for the whole drive but I would like you to confirm it.

Thanks!

I know it is confusing, but there is a common misunderstanding in the terms used.
The "whole thing" is a hard disk drive (object \\.\PhysicalDrive) is a DISK (think of diskpart, disk manager)
The objects inside a DISK are Volumes.
The object that gets a drive letter is a volume (object \\.\Logicaldrive).

A volume can be (almost) exactly the same as the partition (if the partition is primary).

It depends on how the Author of a given tool "thinks" of the object, in the case of a NTFS formatted volume the volume is always one sector smaller than the partition (because the last sector, outside the filesystem but inside the partition area) is the $BootMirr (i.e. a copy of the first sector of the $Boot or botsector or PBR/VBR).

JFYI, additionally there may be a few sectors inside the volume but outside the filesystem, see
http//www.forensicfocus.com/Forums/viewtopic/t=9374/

Normally you image (and thus hash) the "whole thing", the "device", i.e. the hard disk drive from first to last sector accessible of the whole device.

jaclaz

 
Posted : 16/04/2015 10:48 pm
(@bithead)
Posts: 1206
Noble Member
 

If you reference page 31 of the Tableau TD2u Version 1.01 User's Guide you will see the hashing function "can generate an MD5 and SHA-1 hash value for the hard disk attached to the source side of the TD2u." "This is the same as the TD2u's behavior during duplication."

 
Posted : 17/04/2015 5:13 am
(@skywalker)
Posts: 152
Reputable Member
Topic starter
 

My doubt is the following

I have a multi-partition SATA HDD and I want to obtain the SHA-1 hash with my TD2u. The obtained hash is given for both partitions or for the first one? I certainly believe it calculates the hash for the whole drive but I would like you to confirm it.

Thanks!

I know it is confusing, but there is a common misunderstanding in the terms used.
The "whole thing" is a hard disk drive (object \\.\PhysicalDrive) is a DISK (think of diskpart, disk manager)
The objects inside a DISK are Volumes.
The object that gets a drive letter is a volume (object \\.\Logicaldrive).

A volume can be (almost) exactly the same as the partition (if the partition is primary).

It depends on how the Author of a given tool "thinks" of the object, in the case of a NTFS formatted volume the volume is always one sector smaller than the partition (because the last sector, outside the filesystem but inside the partition area) is the $BootMirr (i.e. a copy of the first sector of the $Boot or botsector or PBR/VBR).

JFYI, additionally there may be a few sectors inside the volume but outside the filesystem, see
http//www.forensicfocus.com/Forums/viewtopic/t=9374/

Normally you image (and thus hash) the "whole thing", the "device", i.e. the hard disk drive from first to last sector accessible of the whole device.

jaclaz

Thank you.

So the answer is… it hashes the whole disk, isn't it?

 
Posted : 21/04/2015 1:46 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Thank you.

So the answer is… it hashes the whole disk, isn't it?

Yep ) , to be picky, it hashes EXACTLY *whatever* is transferred through it or for which a "simulated" transfer (i.e. the hashing) is done, and the only "object" you can select for imaging/cloning or hashing is the "whole disk", actually including (if any) the HPA which is disabled automatically (without altering the "source" disk).

jaclaz

 
Posted : 22/04/2015 9:15 pm
Share: