Join Us!

Hash on drive with ...
 
Notifications
Clear all

Hash on drive with errors - procedures for handling  

  RSS
ahoog
(@ahoog)
Junior Member

I'm imaging a laptop hard drive that has 5 bad sectors. Because of this, the hash (I happen to be using sha256) of the source device and the forensic image do not match. How do you handle hash signatures when a drive has errors? I see a couple of approaches and would like to see how others deal with it

1. Hash small chunks during imaging to prove out most of the drive. Hashes for those chunks with errors will not match and well as has for overall file, but can be explained.

2. Don't hash, provide explanation of special case due to drive issues

Thanks for your input. FYI, the command I run is

dc3dd if=/dev/sde of=/PATH/TO/CLIENT/CASE/tag1-SN/tag1-SN.dc3dd progress=on hash=sha256 hashlog=/PATH/TO/CLIENT/CASE/tag1-SN/tag1-SN/log/tag1-SN.sha256.dc3dd errlog=/PATH/TO/CLIENT/CASE/tag1-SN/tag1-SN/log/tag1-SN.err conv=sync iflag=direct

Even if I have conv=noerror,sync, the hashes still do not match. Thanks.

Quote
Posted : 06/03/2009 7:31 pm
neddy
(@neddy)
Active Member

If you can acquire a forensic image of the drive with another tool and the resulting image has the same hash value as the first image, then I would think you have attained the best evidence possible.

I would even say that two matching images acquired with the same tool would be good enough.
Anyone repeating your steps should get the same results unless the drive is degrading.

ReplyQuote
Posted : 09/03/2009 2:27 am
ecophobia
(@ecophobia)
Active Member

Another possible option is to use hashconv=after and get hash values after bad sectors are padded with 00.

ReplyQuote
Posted : 08/04/2009 4:36 pm
Share: