I had recently imaged a device using LinEn and later conducted verfication using EnCase version 5.
Then, an issue pops out - In my Header Report, I was only able to see the Verification Hash generated and NOT the Acquisition Hash (I supposed it was one of the options which i did not check when i conducted the imaging using LinEn). Although it was reported that there is 0 error and the imaged acquired was verified, I am still not comfortable.
I then proceeded to do a Hashing on the acquired image and took note on the result, which proved to be similar to that indicated in the verification report.
Questions are
a) When LinEn asked "Generate A Hash Value For This Image?", does it mean that LinEn will generate a hash for the device, or the image acquired?
b) With only the Verification hash generated (without acquisition hash being indicated) in the report and that it was reported that there is 0 error and fully verified, can I assume that image I acquired is true and correct?
c) By doing a hashing on the image subsequently, does that make any difference?
d) if these measures aint sufficient, what is there to damage control? Do I have to re-acquire the device?
Thanks
I then proceeded to do a Hashing on the acquired image and took note on the result, which proved to be similar to that indicated in the verification report.
The question is somewhat unclear. What do you mean by similar hash? Do you have the same value? The way MD5 and SHA1 work, a single bit change must produce at least 50% changes in the hash output.
Hash of the device is calculated and compared with the hash of the image to confirm the integrity of the image. If you want to make sure there are no changes to the device, then you will need to run the hash verification of the device again, and these three hash values must be the SAME.
Sometimes, when you acquire the image of a USB flash drive, the hash value may change despite software or hardware write blocker. For details go here
http//