FTK imager and Live...
 
Notifications
Clear all

FTK imager and Live acquisition dd return different hashes

11 Posts
3 Users
0 Likes
1,981 Views
knight7
(@knight7)
Posts: 15
Active Member
Topic starter
 

I am using the latest Helix build and running on Windows XP. I am imaging a 2GB thumb drive and getting 2 different hash values from FTK imager and Helix live acquisition dd. The only thing I can think of is the option conv=noerror is included in the dd command. Not sure what exact command FTK is using. I made an image with dcfldd also and it returned the same hash as FTK. Here are the logs, FTK is first and then dd. Please reply if you have any idea. I have full admin on the machine.

Information for C\Forensic Image\ddimage
Physical Evidentiary Item (Source) Information
[Drive Geometry]
Cylinders 250
Tracks per Cylinder 255
Sectors per Track 63
Bytes per Sector 512
Sector Count 4,028,416
[Physical Drive Information]
Drive Model Memorex TRAVELDRIVE 005B USB Device
Drive Interface Type USB
Source data size 1967 MB
Sector count 4028416
[Computed Hashes]
MD5 checksum e93420c7017b59946f73e2eb8a7e6658
SHA1 checksum 75f01f0aef606244cd40160a8783a428bbd9b2b8

Image Information
Segment list
C\Forensic Image\ddimage.001
C\Forensic Image\ddimage.002
C\Forensic Image\ddimage.003
C\Forensic Image\ddimage.004

Fri Sep 05 212607 2008 - Image Verification Results
MD5 checksum e93420c7017b59946f73e2eb8a7e6658 verified
SHA1 checksum 75f01f0aef606244cd40160a8783a428bbd9b2b8 verified

Forensic Acquisition Utilities, 1, 0, 0, 1035
dd, 3, 16, 2, 1035
Copyright (C) 2002-2004 George M. Garner Jr.

Command Line dd.exe if=\\.\E of="C\Forensic Acquisition\thumbimage.dd" conv=noerror –md5sum –verifymd5 –md5out="C\Forensic Acquisition\thumbimage.dd.md5" –log="C\Forensic Acquisition\thumbimage.dd_audit.log"
Based on original version developed by Paul Rubin, David MacKenzie, and Stuart Kemp
Microsoft Windows Version 5.1 (Build 2600.Professional Service Pack 3)

06/09/2008 020724 (UTC)
05/09/2008 220724 (local time)

Current User user

Disk Memorex TRAVELDRIVE 005B (S/N )
Geometry
Cylinders 250
Tracks per Cylinder 255
Sectors per Track 63
Bytes per Sector 512
Total Size 2014208 KB
Media Type Removable media other than floppy

Partition Information
Partition Count 4
Style MBR
Signature 217934C

Partition 1
Starting Offset 0000000000007e00
Length 0000002062516736
Type Extended INT13
Bootable? Yes

Copying \\.\E to C\Forensic Acquisition\thumbimage.dd…
D\IR\FAU\dd.exe
\\.\E (offset 0x7aef8200)
\e1193c55c13ba388d25e7b002db65382 [\\\\.\\E] *C\\Forensic Acquisition\\thumbimage.dd

Verifying output file…
\e1193c55c13ba388d25e7b002db65382 [\\\\.\\E] *C\\Forensic Acquisition\\thumbimage.dd
The checksums do match.

Output C\Forensic Acquisition\thumbimage.dd 2062516736/2062516736 bytes (compressed/uncompressed)
503544+1 records in
503544+1 records out

 
Posted : 12/09/2008 1:39 am
psu89
(@psu89)
Posts: 118
Estimable Member
 

Are you running Helix in Windows or booting to the Helix CD?

 
Posted : 12/09/2008 2:09 am
knight7
(@knight7)
Posts: 15
Active Member
Topic starter
 

running helix in windows, sorry

 
Posted : 12/09/2008 2:57 am
psu89
(@psu89)
Posts: 118
Estimable Member
 

running helix in windows, sorry

Write Blocker?

 
Posted : 12/09/2008 3:48 am
knight7
(@knight7)
Posts: 15
Active Member
Topic starter
 

disabled USB write in registry,tested to make sure I couldn't write to drive. I also tried this a second time after writing a file to the drive, same hash with ftk and dcfldd but different on Helix dd.

 
Posted : 12/09/2008 3:59 am
psu89
(@psu89)
Posts: 118
Estimable Member
 

disabled USB write in registry,tested to make sure I couldn't write to drive. I also tried this a second time after writing a file to the drive, same hash with ftk and dcfldd but different on Helix dd.

I re-read your post. I thought you were saying the hashes didn't verify, but now I understand that each tool did verify but each gives a different hash.

I read about this somewhere, just need to remember where.

EDIT read this http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=2519&view=next

From your log files, it looks like the total size on each acquisition is different.

 
Posted : 12/09/2008 7:31 am
(@bjgleas)
Posts: 114
Estimable Member
 

running helix in windows, sorry

It appears that the FTK is doing a physical drive capture, while dd.exe is capturing only the logical drive (E).

In dd, it shows 4 paritions, but then indicates it is only grabbing parition 1, rather than the whole drive.

 
Posted : 12/09/2008 8:49 am
knight7
(@knight7)
Posts: 15
Active Member
Topic starter
 

Ah, I do see that, why would Helix dd only grab the first partition? Also going through the GUI there is no way to change the command. So compared to FTK imager or dcfldd why would I use the live acquisition to make an image if I am not sure it will return all the partition information?

 
Posted : 12/09/2008 5:47 pm
psu89
(@psu89)
Posts: 118
Estimable Member
 

In the Helix dd gui, source should be \\.\PhysicalDrive#

 
Posted : 12/09/2008 6:38 pm
(@bjgleas)
Posts: 114
Estimable Member
 

Ah, I do see that, why would Helix dd only grab the first partition? Also going through the GUI there is no way to change the command. So compared to FTK imager or dcfldd why would I use the live acquisition to make an image if I am not sure it will return all the partition information?

It is the naming convention you used. Since you said if=\\.\E, that uses the logical drive E, which is typically a single partition. To grab the whole drive, you want to specify if=\\.\PhysicalDriveX where X is 0,1,2… You can find the physical drive number by looking Administrative Tools / Computer Management / Disk Management control panel.

 
Posted : 12/09/2008 7:05 pm
Page 1 / 2
Share: