Why doesn't a mirror image of a HDD compute the same hashes? Opening both drives in Encase 6 I see the same amount of files on both drives, same file structure but yet different hashes. Why is this?
Can you elaborate? What type of RAID is this? And what do you mean by "both drives"? What are the drives you're comparing?
A hash is an EXACT compare. A single bit different and the hash will be different.
There may be a sector (possibly out of the range of the RAID) which has the drive number, and so is different.
Try a binary compare and see where the difference is, and is it significant. You may be happy with a 99.99999% good match, but this will be a different hash value.
I found the answer by going to a more experienced examiner than myself. Thanks for the replies.
I found the answer by going to a more experienced examiner than myself.
And that answer was?
I found the answer by going to a more experienced examiner than myself.
And that answer was?
+1
Don't leave us hanging )
My first thought was that it may be something to do with unallocated space. Doesn't a mirror RAID only mirror the file system and ignore unallocated clusters?
As Adam said, in my experience a RAID 1 is not byte-by-byte identical.
It cannot be, specially if it is a hardware RAID, in my reconstructing experience.
When drives are added to a RAID, the controller (and I believe even the software implementation), has to have identification added to the drive to know which is primary, which is secondary.
This was much clearer in the good old days, pre-RAID. Back then mirroring worked just as well, but the switching from failed drive to mirrored drive was manual. The admin had to tell the controller, "drive 0 in the mud, switch to drive 1". NetWare 2.11 comes to mind…
This is why one cannot just swap out one RAID controller with an other one. Most will need to be at least the same model or brand.
In other byte or block striped, parity drive etc. configurations this makes more sense of course, but it still applies within mirrored situation.
From the digital forensics perspective, I would locate the discrepancies, and note it. I venture to say if you hashed the volumes, they will be identical. The reference data should be written somewhere outside (one would hope), of at least volumes, but preferably outside of partitions.
I do not believe there is material impact to the case, unless it is around the mirroring - but you know this better.
Hope this helps.
Yes, normally I see the same thing for mirror RAID - the two disk hashes are different.
However, we have had a very few where we did find the hashes match exactly. In fact, it just happened last week.
So it can happen, I just dont expect it. Others have stated why, but I wanted to add that we have seen it.
As Adam said, in my experience a RAID 1 is not byte-by-byte identical.
It cannot be, specially if it is a hardware RAID, in my reconstructing experience.
…
From the digital forensics perspective, I would locate the discrepancies, and note it. I venture to say if you hashed the volumes, they will be identical. The reference data should be written somewhere outside (one would hope), of at least volumes, but preferably outside of partitions.
Thanks for this contribution. It's a little unfortunate that we've had to make the assumption that it was RAID 1, with no further details on the observations, however, I suppose that's the nature of a public forum.
I agree, logic dictates there may be differences between the disks, while the volumes should hash identically. For what it's worth, I just double-checked drive image capture reports on a case I'm working that involves a RAID 1, and in this instance, each disk produced the same hash value. The only difference between the disks was the serial number. Conclusion as with many forensic issues, your mileage may vary.