I think, and EnCase users feel free to correct me if I am wrong, when you image in EnCase, it encapsulates the image in a specific format, so there is additional data in the EnCase image file as well as the image.
This means that anything taking a hash of the EnCase image file gets the image + other data. So the hashes will never match.
I think that even if you take the two EnCase image files that the MD5s calculated over those won't match either, because the metadata for the EnCase files will be different owing, at least, to the different times of the creation of the images.
Does that make sense ?
Yes thanks - that does make sense.
I do not understand why step #2 is needed. In step #2a am I suppose to disconnect and immediately reconnect the same HD? What is the reason for redoing parts of step #1 in step #2? Testing the media to me would be to use the HD manufacturer's diagnostic program (available for free on their website) to test for any defects on the HD. Actually I would make that step #1. Can you clarify and tell me why step #2 is needed? Thanks.
Step #2 - Testing the media
a) Remove and then replace the testing media into your forensic workstation.
b) Copy some data to the media.
c) Deleted a selection of this data from the media.
d) Image the media into the Step-2 folder and note the MD5 hash.
e) Validate that this hash value is different to that produced in Step #1.
You're verifying that you can, in fact, write to the drive. Since the final test is to verify that the write blocker blocks, you have to verify that absence of the write bloker doesn't block.