I had to export a user's mailbox as PST on a US-based server, then copy the PST to UK to work on.
I hashed the original using FTK, then zipped the PST file, copied it to UK, unzipped it, and hashed again using FTK Imager - hashes didn't match.
I guessed Winzip was mebbe causing the problem, so I copied the orginal PST file across to UK and hashed it again - same result.
So I guessed - and I mean guessed - that mebbe date/time stamps on different sides of the pond were causing the problem. But couldn't figure how that would really work, so thought for a wee while.
Turns out it was how I was adding the evidence in FTK that was the problem. On the US-based server I had added the local drive as evidence using the Physical Drive option, in UK I added the evidence using the Contents of a Folder option.
I went back to the US server, added the evidence using the Contents of a Folder option and hey presto the hashes match.
This is an internal investigation which may or may not turn legal - I've documented ALL the steps I took (including exporting the mailbox as PST and the non-matching hashes), can anyone see any show-stoppers in the process so far?
Thanks
I had to export a user's mailbox as PST on a US-based server, then copy the PST to UK to work on.
I hashed the original using FTK, then zipped the PST file, copied it to UK, unzipped it, and hashed again using FTK Imager - hashes didn't match.
I guessed Winzip was mebbe causing the problem, so I copied the orginal PST file across to UK and hashed it again - same result.
So I guessed - and I mean guessed - that mebbe date/time stamps on different sides of the pond were causing the problem. But couldn't figure how that would really work, so thought for a wee while.
Turns out it was how I was adding the evidence in FTK that was the problem. On the US-based server I had added the local drive as evidence using the Physical Drive option, in UK I added the evidence using the Contents of a Folder option.
I went back to the US server, added the evidence using the Contents of a Folder option and hey presto the hashes match.
This is an internal investigation which may or may not turn legal - I've documented ALL the steps I took (including exporting the mailbox as PST and the non-matching hashes), can anyone see any show-stoppers in the process so far?
Thanks
The folder option means you copied the logical files so the file slack was not the same as for the physical files.
The only advice I can offer is that you make sure you can explain why the hashes in your documentation were different.
Thanks Beetle, pretty much what I suspected and I can defend that if needs be.
Cheers
The folder option means you copied the logical files so the file slack was not the same as for the physical files.
Apologies if I am having a slow morning but as far as I understood individual file hashing, only the logical file is hashed, the file slack is not included. Besides if the file slack was the problem then Cults14 wouldn't be able to get matching hashes at all with his scenario of 'Contents of Folder' in both locations as the slack is still different.