Hash on drive with ...
 
Notifications
Clear all

Hash on drive with errors - procedures for handling

3 Posts
3 Users
0 Likes
303 Views
ahoog
(@ahoog)
Posts: 47
Eminent Member
Topic starter
 

I'm imaging a laptop hard drive that has 5 bad sectors. Because of this, the hash (I happen to be using sha256) of the source device and the forensic image do not match. How do you handle hash signatures when a drive has errors? I see a couple of approaches and would like to see how others deal with it

1. Hash small chunks during imaging to prove out most of the drive. Hashes for those chunks with errors will not match and well as has for overall file, but can be explained.

2. Don't hash, provide explanation of special case due to drive issues

Thanks for your input. FYI, the command I run is

dc3dd if=/dev/sde of=/PATH/TO/CLIENT/CASE/tag1-SN/tag1-SN.dc3dd progress=on hash=sha256 hashlog=/PATH/TO/CLIENT/CASE/tag1-SN/tag1-SN/log/tag1-SN.sha256.dc3dd errlog=/PATH/TO/CLIENT/CASE/tag1-SN/tag1-SN/log/tag1-SN.err conv=sync iflag=direct

Even if I have conv=noerror,sync, the hashes still do not match. Thanks.

 
Posted : 06/03/2009 7:31 pm
neddy
(@neddy)
Posts: 182
Estimable Member
 

If you can acquire a forensic image of the drive with another tool and the resulting image has the same hash value as the first image, then I would think you have attained the best evidence possible.

I would even say that two matching images acquired with the same tool would be good enough.
Anyone repeating your steps should get the same results unless the drive is degrading.

 
Posted : 09/03/2009 2:27 am
ecophobia
(@ecophobia)
Posts: 127
Estimable Member
 

Another possible option is to use hashconv=after and get hash values after bad sectors are padded with 00.

 
Posted : 08/04/2009 3:36 pm
Share: