Hash Program Questi...
 
Notifications
Clear all

Hash Program Question

3 Posts
3 Users
0 Likes
353 Views
TMD22
(@tmd22)
Posts: 41
Eminent Member
Topic starter
 

I was wondering what others use as a program for hashng (MD5/SHA).

I use Cheksum, but that runs in the DOS mode to check the suspect HDD before and after I use FTK Imager to create the image. This removes all doubt that the data was tampered with.

My issue is Checksum produces one sum, and FTK produces both an MD5 and SHA hash in an embedded file after you image the suspect HDD. This is also another sum. I am looking for a program (md5 or SHA) that I can use to hash the HDD before and after the FTK image, that will exactly match the FTK sum.

Any iseas or input is welcome.

Mark

 
Posted : 30/11/2006 3:02 am
deckard
(@deckard)
Posts: 77
Trusted Member
 

You can hash the drive before you image it with FTK. If you have your WB in place you can add the disk as evidence item and hash it in FTK. The hash should come out the same UNLESS you are making changes in some way. Even images not captured in FTK will hash out in FTK unless changes have been made. The embedded info isn't computer in the hash

 
Posted : 30/11/2006 6:07 am
az_gcfa
(@az_gcfa)
Posts: 116
Estimable Member
 

You can use DCFLDD to create a "DD image" of the HDD and generate the MD5SUM value. I do not think there are any DOS based MD5Sum programs that will allow you access to the physical level of the drive.

I tried creating a Bart-PE CD with various utilities DD and MD5Sum. For some reason the device names in the utilities did not match with the Bart-PE device names. I also got input file errors.

I prefer to image and verify MD5Sums with linux based boot-cd utilities.

However, I am beginng to like the flexibility of FTK-Imager, the directory and file listing option when imaging is a nice feature.

 
Posted : 30/11/2006 7:14 am
Share: