I'm imaging a laptop hard drive that has 5 bad sectors. Because of this, the hash (I happen to be using sha256) of the source device and the forensic image do not match. How do you handle hash signatures when a drive has errors? I see a couple of approaches and would like to see how others deal with it
1. Hash small chunks during imaging to prove out most of the drive. Hashes for those chunks with errors will not match and well as has for overall file, but can be explained.
2. Don't hash, provide explanation of special case due to drive issues
Thanks for your input. FYI, the command I run is
dc3dd if=/dev/sde of=/PATH/TO/CLIENT/CASE/tag1-SN/tag1-SN.dc3dd progress=on hash=sha256 hashlog=/PATH/TO/CLIENT/CASE/tag1-SN/tag1-SN/log/tag1-SN.sha256.dc3dd errlog=/PATH/TO/CLIENT/CASE/tag1-SN/tag1-SN/log/tag1-SN.err conv=sync iflag=direct
Even if I have conv=noerror,sync, the hashes still do not match. Thanks.
If you can acquire a forensic image of the drive with another tool and the resulting image has the same hash value as the first image, then I would think you have attained the best evidence possible.
I would even say that two matching images acquired with the same tool would be good enough.
Anyone repeating your steps should get the same results unless the drive is degrading.
Another possible option is to use hashconv=after and get hash values after bad sectors are padded with 00.