Hi all.
another mind twister for you genius' to have a crack at.
Im looking at some 10 images of USB cards. after hashing these fall into 4 groups. we were told that they were bit for bit copied so they would be exactly the same - of course they are not hence why we are here!
within the four groups there are the core files which are fine. then there are the off one or two missing or added - can't be bit for bit copied then can it? these drive have not been used since coming to us and i am using a write blocker.
then there is file X which is on EVERY USB device, It is deleted, and has been written over and is just an artefact left behind.
I now have the question, If this wasn't a bit for bit copy, but this artefact has found its way onto every card then how did it get there?
Any ideas?
Where the drives plugged into a PC without any kind of write blocking.
Windows loves to write or update a few bits of information when it mounts the drive.
Virus checking can also make a few changes.
> Im looking at some 10 images of USB cards
Where there 10 physical cards and 1 image per card?
If there was 10 physical cards, is there any reason they should have had the same content before the image was taken?
Or are you saying you have 10 images, of the same card, and that is why you have an expectation that each image should be identical, because they all came from the same source?
I am thinking I don't understand something…..
have you checked to make sure the lba of each drive is the same? if they are 10 physical separate devices there could be a difference in padding when copying over that could explain the different hash values
My comments are second-hand, based upon info mentioned to me. I can put you in touch with the original source should it be necessary.
Variation on hash values have been noted when imaging the same target storage media (HDD etc). The varying hash values I was told was put down to which system / OS was used to image the target storage media.
So assuming you used different systems/OSs to image a single USB card ten times or split the imaging of 10 USB cards using different systems/OSs, might this be relevant to you? If it isn't, don't shoot the messenger as this isn't my area; just passing on info.
Im looking at some 10 images of USB cards.
What is a USB card in this context? Are they general storage devices, or only intended for some particular purpose, i.e. are they entirely passive, or is there any card-based 'intelligence'? Is there any manufacturer-supplied software involved operating them? Best would be to state the manufacturer and model number for one of the devices that you think misbehaves.
… after hashing these fall into 4 groups. we were told that they were bit for bit copied so they would be exactly the same -
(What falls into four groups? The images? Later you seem to be referring to files in the images.)
'You were told …' are you trying to verify images created by another party? The reason I ask is that you later say that you have a write blocker … but the significance of that is unclear unless the imaging party also used a write blocker …
… can't be bit for bit copied then can it? these drive have not been used since coming to us and i am using a write blocker.
But what happened before that? Do you have an imaging protocol of the original images, and an unbroken chain of custody, and are you satisifed that it is OK?
What write blocker is involved? Same everywhere? Some blockers only block explicit write commands, and let everything else through. If your devices implement some nonstandard USB command (and there is a block of those commands reserved for such purposes), and those commands do things on the drive, … you have one possible explanation.
Do you have an imaging protocol that states when the original imaging took place? Where are the changed files in relation to that – before, during, or after?
I now have the question, If this wasn't a bit for bit copy, but this artefact has found its way onto every card then how did it get there?
Based on the information provided, several hypotheses can be stated
A) The devices were mislabeled after imaging, or there is some similar confusion as to what image belongs to which original device, the result of which is that you are comparing wrong images.
B) Original imaging wasn't done with a write blocker, and the original was modified during imaging.
C) Imaged devices have been examined without a write blocker after imaging was done.
D) Write blocker lets USB commands that cannot be identified as WRITE commands through (e.g. undefined USB commands), and some intelligence on the devices is responsible for some or all of the changes.
E) Either write blocker is malfunctioning
I'm sure you can add another half-dozen based on your own knowledge of the situation.
Some of these can be easily addressed by looking at file time stamps and imaginging protocol, and chain of custody log. Other may require a similar device to be imaged under the same conditions, or require that the write blocking devices/software is tested more thoroughly.
There is one other possibility.
Some Flash based storage device, even some USB storage devices, use a wear leveling algorithm to evenly distribute writing of data. Sometimes these algorithms move data when power is applied. The moving and deleting of unallocated space would change the hash value.
I have heard that Solid State Drives are the main culprit but that some USB "thumb drives" may do this too.
In fact there is a long thread on this forum about this very topic
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=3542&postdays=0&postorder=asc&start=0
TonyC
This implies that the memory chip KNOWS the file system being used. Unallocated in FAT, NTFS, XFS, REISER ext3 etc etc are all different - plus the File system to be introduced next year, and the year after.
Wear leveling must be 1000% invisible to the user, otherwise memory chips would be unusable. A sector is always a sector, wherever the physical location is within the chip.
A flash controller has it's own file system that allocates sectors as they are used, but this cannot be seen through the USB port.
Hi all
i hope i reply to everyones questions here.
10 cards, 1 image for each
write blocker used in all imaging by us
an apparent bit for bit copy was use to make sure all the drives were the same but they are not as there are some discrepancies with the files on them
one file artefact appears on all the cards in the same place at the same physical location. We suspect they were contaminated or this was here from a previous bit for bit copy in the past.
@tremte - same OS used to image the cards )
i did expect to get different hashes for different batches of drives, i have seen this before but in this case it is because of different file numbers that the hashes are different.
thanks for the advice guys.
Maybe out in left field, but, despite them allegedly being the same, do they know for certain that all the memory chips are from the same source. In otherwords are the internal parts identical regardless the outside looks the same. If chips came from different batches, that might account for differences in physical make up.