I am SUPER new to the world of computer forensics. This is my first case. My office uses almost exclusively EnCase 6. (So, no help there.) But, I was trained and given EnCase 7 and FTK. To make sure I had a good image, I imaged the hard drive separately with both FTK Imager and EnCase 7 (E01 files). But, when I pulled up both the FTK image and the Encase image separately in Encase, they look completely different! They are clearly the same hard drive (same serial number, same name), but completely different hash values. (No, I didn't image my own hard drive. wink )
What gives?
Besides the hashes, what do you mean by, "they look completely different"?
Was the drive ALWAYS connected via a write blocker?
A hash is either the same or different. The word completely different just means it is just different. Maybe by just a single bit in a TB or data, but is is different
Its easy with FtK and encase (at least version 6) to inadvertantly image a volume/partition as apposed to the entire physical disk. This would result in differing hashes and a different appearance. Is this possible?
And are you comparing the same type of hash value ? (Ie. Md5 Sha1 etc)
Did you hash the image files, or the content within the image files to verify the content? Remember that an E01 contains additional check blocks that mean that the image is not simply a bit by bit copy of the source, so if you hash your image file instead of hashing the image contained within it, you're going to get a different value.
Can you tell me who teach you EnCase and FTK?
Well, I checked and I definitely imaged the whole drive, not just the folders. And, yes the write blocker was in place the entire time the hard drive was connected to my computer. And, I compared the MD5 and SHA1 hash values for the whole drive. I have not checked the hash values for the individual files.
An example of how they're different is that the FTK version shows a recovery drive and the Encase version does not. Someone in my office supposed that since FTK and EnCase image differently, they would have different final hash values?
Right now, I'm imaging a different hard drive, again on both FTK and Encase, so I'll see how it turns out. It's very possible I did something completely wrong the first time around and these images will be the same. I'll let you know.
Has anyone else ever imaged a drive with both FTK and EnCase?
I am SUPER new to the world of computer forensics. This is my first case. My office uses almost exclusively EnCase 6. (So, no help there.) But, I was trained and given EnCase 7 and FTK. To make sure I had a good image, I imaged the hard drive separately with both FTK Imager and EnCase 7 (E01 files). But, when I pulled up both the FTK image and the Encase image separately in Encase, they look completely different! They are clearly the same hard drive (same serial number, same name), but completely different hash values. (No, I didn't image my own hard drive. wink )
What gives?
1) Go to the FTK Imager text file and look for the total number of sectors in your imaged drive.
2) On EnCase 6 - GoTo Entries and click on your imaged drive (Not the drive letter but the image)
Then GoTo Devices (On the same toolbar where Entries is at)
Then on the EnCase View Pane GoTo Report.
From there you will get the total size and total sectors on your image.
Compare both and see if they are the same.
If they are not, you will need to reimage. My suggestion would be to reimage with EnCase (Since you are missing a recovery partition with that image) and then compare again.
Good Luck!
Do the imaging logs indicate the the images are the same size? I'm thinking based on your latest post that there may be an HPA or DCO, and that one tool grabbed it while the other did not.
Check the largest partition on each image to make sure they are the same size, then hash the partition only. That will indicate whether it's different imaging approaches to the same drive, or if you've totally bolloxed up the imaging process.