hai friends,
I have posted the same yesterday, but it lost due to server down as stated by admin.
i am a cyber forensic expert working in govt lab in india. I have received a case wherein a CD was seized and sent for analysis. the cd was imaged using the encase and hash is generated(MD5) and analysis completed. now the defence wants a copy of the CD which was analyzed. the investigating agency provided the copy of the CD. the defence calculated the hash of the this CD, which is not matching with the original CD hash which was analysed in the laboratory. hence the dispute.
is it there any method/software thru which copy of the CD can be made and both the CD can have same hash.
thanks in advance,
krishna m
Can you clarify?
How was the copy of the CD made? (EXACTLY)
Do you have both the "original" and the "copy"?
Can you re-extract the image from the "original"?
Can you extract the image of the copy?
Are the two images exatly the same length?
Since they are "small files" (max 650 or 700 mb) you can do a binary comparison of the two extracted images.
I seem to remember vaguely a similar issue that in the end was connected to one tool (or the other) extracting the "whole" CD contents and thus having a different size due to different media (while the "burning tool" wrote only the CDFS filesystem) , or something like that.
I'll see if I can find a reference.
In any case, generically speaking, hashing is a "shortcut", if it validates, good, if it doesn't a binary compare is the next step to find out WHAT has changed.
jaclaz
Dupping in between DVD+R and DVD-R will have different hashes.
Some authoring software will set CDs to a max of 650MB while some will do 700MB. This will have a hash difference.
Ensure that the duplication software is not creating a log file to the dupped disc.
Make sure the dupped disc is named the same.
Don't use the Auto-Copy feature when dupping CDs. Generate copied disc from ISO file.
Create a ISO file of the original disc.
Hash the files of the mounted ISO file.
I've imaged 100's of Cd's and DVD's in the past using FTK Imager. I can recall on several of those occasions where the image hash does not match the source disk. I remember re-imaging the disk only to get a completely different hash. Hashing Cd,s and DVD,s are a nightmare. I would try contacting Paul Crawley from InfinaDyne. Paul created a fantastic tool called CD/DVD Inspector. Paul knows more about CD/DVD than anyone I know
Can you clarify?
How was the copy of the CD made? (EXACTLY)
Do you have both the "original" and the "copy"?
Can you re-extract the image from the "original"?
Can you extract the image of the copy?
Are the two images exatly the same length?
Since they are "small files" (max 650 or 700 mb) you can do a binary comparison of the two extracted images.
I seem to remember vaguely a similar issue that in the end was connected to one tool (or the other) extracting the "whole" CD contents and thus having a different size due to different media (while the "burning tool" wrote only the CDFS filesystem) , or something like that.
I'll see if I can find a reference.
In any case, generically speaking, hashing is a "shortcut", if it validates, good, if it doesn't a binary compare is the next step to find out WHAT has changed.
jaclaz
hai sir,
the duplicate was made by copy cd option in the CD writing software i.e neru express and cd burner xp, also created the iso of the original, restored and calculated the hash, all the three generated different hashes. original CD is available, earliear image is not available, now i imaged the disk.
krishna m
hai sir,
the duplicate was made by copy cd option in the CD writing software i.e neru express and cd burner xp,
This is usually incorrect.
That is "copy CD", NOT "clone CD".
The point is
1) get the original and make a .iso image of it.
2) hash the .iso
3) burn the .iso to a new CD
4) get the new CD and make a .iso image of it using the SAME tool as in #1
5) hash the new .iso
Compare hashes #2 and #5.
If hashes are different do a binary compare the two .iso images #1 and #4.
jaclaz