So, I have discovered that I cannot trust some of my equipment. My USB-to-SATA device produces a different hash nearly every time.
I finally plugged in my evidence drives directly into the motherboard of my main desktop system, and then suddenly everything worked just fine.
My question for you guys is – how do you determine if you can trust your hardware? For example… is it my USB hub? Could the different hash be a result of the destination drive having silent bit errors? Could it be the controller card on one of the drives failing? It could be so many different things – do you folks have a battery of tests you run on your equipment every so often to ensure they're 99% reliable?
Many thanks ) !
If you are not using a write blocker, that could explain the problem.
Make images and do a binary compare if the hashes are different. A hash match is 100%, ie Yes or No. The images may be very very nearly the same, which is a NO for hash matching, but could be Yes for general use.
Could also make a signature of the drive (i.e. generate a hash per file, along with time stamp). Then do the same thing the next day.
Then compare the signatures to see which file(s), if any, are being changed.
My first question is - What do you need the hash match for? If you are looking to verify the item's validity as a copy of original evidence then you need to be using a write blocker. Without that there is a very likely chance that times will be changed just because the OS likes to talk to everything that touches it. If you are looking for specific file integrity or matches, try hashing each file on the drive at different times and running a hash comparison between the versions. It may give you an indication of where the files are that keep changing.
If you can give a little more info on why you need this hash or what you need to do with it, we may be able to point you in a direction which may help you out. Good luck!
If you are looking to verify the item's validity as a copy of original evidence then you need to be using a write blocker. Without that there is a very likely chance that times will be changed just because the OS likes to talk to everything that touches it!
Not if you're using a Linux Forensic distribution that doesn't automount devices or mounts them read-only, although this isn't specified by the OP.
If you are looking to verify the item's validity as a copy of original evidence then you need to be using a write blocker. Without that there is a very likely chance that times will be changed just because the OS likes to talk to everything that touches it!
Not if you're using a Linux Forensic distribution that doesn't automount devices or mounts them read-only, although this isn't specified by the OP.
Agreed completely. I didn't think that there was a Linux distro in use here, but I should have noted that as well just to cover all the bases.
On that note though, Sam, have you considered using a different hashing utility to verify your results? There are many different freeware tools to compute hashes. This probably won't solve your problem of changing hash values, but it may at least verify your results.
I truly think that the main problem is your device is not being write-blocked in any way when you connect it, which is likely causing the changing hash values. Are you trying to connect a USB device via a SATA connection, or do you have a SATA device that you need to connect via USB? If you are going in USB, you can software write-block by editing your registry. If you are unfamiliar with the registry take caution and tread carefully to avoid making unrecoverable mistakes.
Just some thoughts. Let us know how you make out.