Notifications
Clear all

Hash Mismatch

3 Posts
2 Users
0 Likes
1,512 Views
(@cpt-hookdangles)
Posts: 10
Active Member
Topic starter
 

I have had a couple times at work when I hash an image file before shipping it to client and the hash doesn't match.  The first time the image was made with dc3dd and the hash from the log file didnt match the hash I got when I used FTK to hash the image file.  Today I just had an image that was acquired with MacQuisition (Digital Collector) and when I hashed it it didn't match the log from digital collector.  Is there something that MacQ and dc3dd do that creates this issue like hashing on the fly? or is it just an error. Any help would be greatly appreciated!

 

Also off topic but does anyone know what happened to Triforce ANJP? I can't seem to find a download of it anywhere.

This topic was modified 3 years ago by cpt.hookdangles
 
Posted : 28/05/2021 2:04 am
watcher
(@watcher)
Posts: 125
Estimable Member
 

Two possibilities come to mind.

  1. How did you access the device that was imaged? Meaning did you use a write blocker and/or a forensically appropriate OS? An error here might have changed the source, invalidating the hash.
  2. Was the source a solid state drive (SSD)? Powering up an SSD can result in pending TRIM erasures taking place. A write blocker would not stop this.
 
Posted : 28/05/2021 9:39 pm
(@cpt-hookdangles)
Posts: 10
Active Member
Topic starter
 

@watcher Ahh yes! I didn't even think about the TRIM.  Well the dc3dd I would say wasn't run in a forensically sound manner. They run them on live machines from an external. So the computers are on and people could move around and access things.

 

But booting into MacQuisition should be forensically sound. 

Thanks a lot for the response! I think i have something to go off of and play around with to test this.

 
Posted : 29/05/2021 12:48 am
Share: