Let's say that I have an Evidence hard drive. Let's say I run an MD5 hash of it. Let's further assume that I do ahead and use something like FTK imager to create an image of said evidence hard drive. Were I to run an MD5 hash of the image, would match the hash of the actual drive?
if not, how do I validate that the image is truly that of the drive?
Thanks )
When using FTK Imager to create the forensic image, there will be a checkbox with the option, "Verify images after they are created". Leave this checked and FTK Imager will automatically hash the image. It will tell you if the hashes match. It uses both MD5 and SHA1 by default (if I remember correctly).
If you used a write blocker and proper forensic technique when creating the image, the evidence drive and forensic image should match.
Another way to verify this is to take a second, forensically sterile hard drive and restore the image you created to this drive. You can then hash the restored drive to determine if the image (and restore) was done properly. Be sure to only hash the same amount of sectors (if the drives are different sizes) on the restored drive as were on the original evidence drive.
HTH
Thanks for the info. I did just what you said in my test lab, and it indeed provided me with that info just as you described. I appreciate the help! )