Hi All,
I have created a E01 and a raw(dd) files of a partitions using activedata tools.
I would like to mount both in a Ubuntu based machine.
I have libewf pacakges and sluethkit packages installed.
My suspect is i have similar files ( created by other users) in the same machine.
How to validate a E01 and raw images in forensic perspective and once done i want to mount the same .
at present i am using ewfinfo to get the MD5 sum values to find it is a valid E01 file but for raw images i am helpless .
Please guide me.
On linux you can just use the md5sum command. If your raw image files are split, you'll need to cat them together first and pipe them to md5sum.
I have no MD5 values of the disk/partitions for which the RAW images is been prepared. The images could be of different /unknown machine to me . In such cases how do i validate a forenic image.
If you didn't perform and log/note a baseline hash on the source, then you can't validate your images without access to the original source. If you have the source, and it hasn't been altered, and it matches the hash on your images, then you'd be fine. I hope the rest of your chain of custody is well documented.
You should perhaps update your procedures for raw imaging to include a log file which contains as a minimum the md5 hash and the size in bytes of the source. The imaging script that I use also adds in some user entered information describing the exhibit for tracking purposes. You can get away without a log file if you have otherwise documented the imaging process including the hash in your notes, but I always have both a log file, and a hand written hash in my notes just to be sure.