FTK Imager and &quo...
 
Notifications
Clear all

FTK Imager and "N/A: bad blocks found in image"

3 Posts
3 Users
0 Likes
2,449 Views
pakim
(@pakim)
Posts: 30
Eminent Member
Topic starter
 

Hello guys,

a quick question about EWF image verification in FTK Imager. I was verifying the content of an image with the "Verify Drive/Image" command on FTK Imager and the verification failed. The "Computed Hash" is different from the "Stored verification hash", there's a "Bad Block List" populated with sector information about "Bad Block(s) in image" and the "Verify Result" states as follows "N/A bad blocks found in image". Does that mean that the image is faulty - i.e. there are bad sectors on the disk the image was stored on? The forensic acquisition report does not mention errors or bad sectors, which let me presume the copy was good.

Furthermore, if I check the image with X-Ways forensics, the "hash-recomputed" gives an error BUT the computed hash is different from the one calculated by FTK Imager and there's no mention of bad sectors… O_o

Thanks!

 
Posted : 14/07/2019 8:39 am
(@athulin)
Posts: 1156
Noble Member
 

The "Computed Hash" is different from the "Stored verification hash", there's a "Bad Block List" populated with sector information about "Bad Block(s) in image" and the "Verify Result" states as follows "N/A bad blocks found in image". Does that mean that the image is faulty - i.e. there are bad sectors on the disk the image was stored on?

That's difficult to answer – it depends on how the image was produced, and what the tool used did if/when it encountered a bad sector.

However, in general, it does mean that the checksums/hashes computed at the time the image was created and stored inside the file do not match the checksums/hashes computed by FTK from the blocks stored in that image. Something has happened to the file since then.

Possibilities a) the sector data was damaged, b) the sector data is OK, but the stored hash was damaged, or c) both were damaged.

So The image file is damaged, and should not be used further. Archive it just in case you need it later. Fall back on the gold image … if you have one. (If not, now you know why you do need one.)

I would not use even blocks that are not reported to be damaged, unless you know exactly what you're doing. You need to explain why it is safe to do so … and I don't think it is, except perhaps in very unusual circumstances.

The forensic acquisition report does not mention errors or bad sectors, which let me presume the copy was good.

Well, that depends on the tool that created the image. I assume you know it well enough to make that interpretation.

 
Posted : 14/07/2019 11:10 am
(@jahearne)
Posts: 35
Eminent Member
 

I used to get that error often. It could be a bad USB connection, one byte could be off on anyone of your image file segments, hard drive going bad, number of different issues.

I've had that error go away by just changing workstations or rebooting and using a different USB port. If this issue is problem, try using EnCase Imager for verification. The difference being that EnCase Imager will report which file segment is bad. Just replace that bad file segment and re-verify.

 
Posted : 06/08/2019 6:27 pm
Share: