Hi,
maybe someone here can help me. I'm aquirering a image from a harddrive which has some physcal defect sectors in the middle of the drive. This works fine with dd_rescue. Now i want to make hashes from the harddrive and the image. But logically md5sum stops at the defect sectors. Is there any way to make a hash? I know that dd_rescue write 0's for the sectors it can't read, so it would be sufficent if there was a hash tool which assumes 0's for the defect sectors.
Thanks in advance!!!!
The important aspect of any hash is that it must be repeatable, and must indicate if any bit in the image has been changed.
One possible option is to hash the data up to the failed point, and then hash the data after the failed point. As long you have documented hash for sectors xx to yy then you can prove the data has not been changed.
Sometimes with disks, there can be many failure points, and occasionally an imaging program will just hang on an area. Hash values for fragments may be the best solution.
Once the whole disk has been (partially) imaged, do hash of the DD file.
With failing disks, it may never be possible to get the same hash for the complete disk as an extra sector may fail between reads.
The hash is just a procedure to prove that the data has not been changed since read. Full documentation is essential
Since you're comfortable with Linux, just pipe the output from dd_rescue through md5sum. This way, it should read the same data the same way that dd_rescue does, and hence generate the same hash as your already acquired image. Of course, if your drive is failing, which presumably is why you're using dd_rescue and not regular dd, then it's quite possible that you'll never get a matching hash, and that's just something that you'll have to explain at some time in the future.
Thanks for your replies!!!! The piping is a good idea!!! I had another thought yesterday. Maybe it is possible to hash only the intact sectors and leave the defect ones out. Is there a programm that hashes specific sectors? i know i can do that with encase….. and of course i need a prog that can find out the defect sectors…. if anybody knows such progs i would be very thankful for a advice!!!
Is there a programm that hashes specific sectors?
md5deep allows you to break a file up into pieces of arbitrary size (e.g., sectors), and generate hashes on each.
Give this a read as well from Digital Investigation 5
Contagious errors Understanding and avoiding issues
with imaging drives containing faulty sectors
Continuing on from the other forum where you posted …
You may try another application for acquisition, or acquisition and authentication. I recommend ddrescue (GNU) for acquisition of media with I/O errors. I also appreciate the approach SMART takes when acquiring media with I/O errors authenticate all good to I/O error, don't throw the baby out with the bath water, continue to next good read and continue acquiring and authenticating, ETC. What you get are the hash values for all good I/O reads.
Cheers!
farmerdude