Hello all,
Empty CD-R's are not recognized as physical and logical drives by Encase, FTK etc. so they do not seem to be hashed just like a hard drive can be done.
But but some other software like "Recover my files" seem to be producing a hash value for empty CD, which does not sound all right to me. Since the CD-R has not been burned, there may not be any sectors to hash.
What do you think?
Regards
How long is the image file that Recover my files produces.
It may be a zero length file, and your hash may be for a zero length file
"The imager" from Getdataback seems to produce a hash a value. However, like you said, it is seemingly an image file, however it is not a real image and it is 2 KB in size.
But as for the hash value which comes on screen, we have made futher tests on how it is created. We have tried with other empty CD's and a blue-ray, they all seem to produce same hash value.
So, it is not a real hashing process.
What is the hash value?
What is the hash value?
Like would it begin with da39 … or d41d … ? wink
http//
http//
Only seemingly OT
http//www.forensicfocus.com/Forums/viewtopic/p=6535731/#6535731
http//
jaclaz
Paulsanderson,
The image file that Recover my files produces is 2.00 KB in size and 4.00 KB in size (on disk). And the hash value is 5FE4E4ABD0F5E7162F71542AA2B7ADE9.
Granted that any given tool may produce "something", that something doesn't always have real meaning.
In the case of a NON-empty CD or DVD, I'm not aware of a reliable tool to make a forensic copy or hash. There are a number of tools for examining the original media, and a number of tools for reliably copying selected types of CD/DVDs, but nothing I know of to copy or hash an arbitrary CD/DVD.
Am I missing something?
In the case of a NON-empty CD or DVD, I'm not aware of a reliable tool to make a forensic copy or hash. There are a number of tools for examining the original media, and a number of tools for reliably copying selected types of CD/DVDs, but nothing I know of to copy or hash an arbitrary CD/DVD.
Why are you so concerned about a hash value. As far as I am concerned, a hash value is only to indicate that the data is the same or different to the time the hash was taken.
The important part of the question is which sectors can be read.
CD/DVD readers are normally controlled by information stored in 'service' tracks on the CD. ie, if the CD thinks it has 0x4000 sectors written, it will not allow access to sector 0x4001. An initialized RW disk will not allow reading of any sectors