Hi
I have a HDD with ext3 file system, within this HDD are DD. images. What is the best tool to access the HDD hash/verify those dd images and potentially convert them into E01.
I tried EnCase but it keeps crushing when trying to browse the HDD content.
FTK Imager can hash chunks of the DD. image but as far as I’m aware it will not produce the hash for the entire image.
My apologies if I’m repeating someone else’s posts – if yes please could you direct me there so I can find the solution.
Many Thanks..
Use Helix, pop in the boot disk, mount your device RO (or use a write blocker), hash the image files using md5sum /mnt/sdb1/imagefile.dd (where sdb1 is your mount point).
If you have multiple non-segmented dd files you can run the same command with a wildcard (I believe offhand)
md5sum /mnt/sdb1/*.dd
You were not clear as to whether the image was split into segments so I am assuming you had multiple non-segmented image files on the drive.
I don't know if md5sum works with wildcards, but I've always used cat to handle multiple segments. If the image is made using the normal split functionality, it will have the same file name, with an incrementing extension. So to hash them all as one
> cat imagename.* | md5sum -hex
If you absolutely refuse to work in Linux, then use FTK imager to export the image files to your local machine, then use the Verify function to get the MD5 hash.
The issue you are having is that your exam machine can not mount the EXT3 filesystem.
There are a number of options for handling such a problem, I would use, LMGTFY, but I'll be nicer. 😉
http//
Another option is downloading the SANS SIFTWorkstation 2.0. Connect the EXT3 HDD and share it with your Windows host. Then use FTK Imager to open the DD image and hash it. Presto! Plus, you get all the other tools in the SIFTWorkstation.
Helix and Autopsy within it did the job.
Thanks for help
However I’m having another issue..some images were zipped, I’m trying to unzip them to the another external drive which was mounted with all the rights but when trying to unzip it using Gunzip it comes up with the error that the file I’m trying to unzip is a read only..and it cannot unzipped. The HDD with the zipped image is mounted and write blocked by both mounting and the hardware write blocker.
For me it looks a little bit odd that there is no need to have the write access to the file which needs to be unzipped, unless Gunzip wants to create a log in that directory which also is a little bit strange..
Any suggestions? ?
It's possible that when you're running gunzip, you're not specifying an output path, or piping the content, so it's trying to unzip it by default to the same folder, which is of course write blocked. If this isn't the case, then post your syntax, or otherwise explain in detail the method you're using to unzip.
I've archived hundreds of forensic images using gzip and split, and never had a problem restoring or validating any of them.