Mebbe I've missed a trick, but although TIM is significantly faster than FTKI I don't see hash value comparisons being calculated. In fact. it's not even clear what the one hash value (MD5 or MD5+SHA1) refers to - source or image.
If I am right, what are others on this forum using to carry out a pre-image hash when using TIM? I can see there are lots of tools out there, was wondering if there's anything tried and tested (other than FTKI and EnCase)?
Penny for them?
Update, I've had it confirmed by a UK vendor for Tableau that the hash calculated by TIM is for the Source Disk only
So, any recommendation for Hashing the image?
I have a case where I cannot hang on to the source disk for future verification.
you can use a program like hashcalc which is free on the web. In hash calc you open the image file and hit the calculate hash button. If the hash matches what the TIM calculated from the source disk, then you have a 1-1 copy. perfect image
You can't go far wrong with FTK Imager if you're verifying in Windows.
Most of the forensic programs that I've seen have image hash verification built in and will re-calculate the hash (sometimes automatically) of the image file.
Use TIM to create hash and then verify in FTK Imager.
While FTK runs I can finish my CoC and notes or run next image if there are any.
Match, put system back together. Start next disk or making second copy from disk image.
Mismatch, rehash with FTK.
Mismatch again, grumble to myself about hating computers and try in another program.
Mismatch again, evidence drive back on write blocker and hash. If there is a match between original value and evidence drive then create new image. But, if mismatch between original value and evidence drive the second time, then have to troubleshoot with hash values generate from multiple programs. Possible hardware, sector, etc. problems have to do some troubleshooting.
As good practice save everything and keep good notes.
Thanks for the comments everyone. Was hoping to find a quicker and reliable alternative option to FTK, but FTK it is.
I haven't tested TIM for imaging + FTK for verification versus FTK for the whole shebang in terms of speed, I guess overall performance will vary depending on evidence drive, connection to Tableau, connection from Tableau, CPU, speed of connection to image drive.
Thanks again everyone
)
The main limiting factor in verification will the speed at which you can read off the drive containing your images connect it by eSATA/USB3 if you can.
The main limiting factor in verification will the speed at which you can read off the drive containing your images connect it by eSATA/USB3 if you can.
True. Am verifying a dd image right now connected to my PC via eSATA. X-Ways Forensics is verifying it at around 6GB/minute, hitting up to 6.4GB/minute.
Being internal corporate on a limited budget, I've had to make do with USB 2.0 drives until very recently, when I got some Seagate FreeAgent GoFlex drives - interchangeable between USB 2.0 and eSATA (and USB 3.0 apparently).
So I did some tests comparing imaging a 1GB thumb drive to USB 2.0 and eSATA using TIM and FTKI
There was almost no difference between USB 2.0 and eSATA in terms of imaging speed even with no compression.
Verification is where the speed benefit using eSATA arose, almost twice the speed of USB 2.0
Straight copy and file wiping operations were more than twice as quick.
Will try DBAN at some stage when I've got sick of watching paint dry, grass grow etc )