wipe
partition
format
hash
[quote="CJ_Centeno
I am new to the field as I am still in school waiting to start my core classes. My question is how exactly do you get hash value on a new hard drive?
Why do you want to hash a new drive?
It depends on the type/size of partition, any serial number added, etc etc. You will also need to know what you expect for a FAT32, Linux XFS, NTFS disk of the EXACT size, with same serial number.
Surely a much better check is that all logical sectors are zeros. This probably best performed after a wipe, rather than after a partition.
A hash value is only useful to know if 'A' matches 'B' exactly, and they are the same size. It does not indicate both are blank, unless you already know that 'A' or 'B' is blank. One sector different in size and it will fail the match, even though both disks may be blank.
Why do you want to hash a new drive?
From the text I have been reading when using a new hard during and investigation you are suppose to match the hash that you took when you acquired the new drive to the hash it has before you use it. As you said "A matches to B"
Seems we are getting away from the original topic, but I will throw this out there I know when we used to clone drives you had to make sure the drive was wiped, but do many people still do that? If you are imaging to a forensic container (E01, etc.), why wipe the drive?
Because lawyers tend to ask just the questions about things that is usually considered unnecessary.
It costs me only 15 minutes to kick off a wipe and hash of a target drive.
It would cost me hours of court time to explain why it is not necessary to wipe when using a container.
Thank You Bithead and Jhup for answering my question
Because lawyers tend to ask just the questions about things that is usually considered unnecessary.
It costs me only 15 minutes to kick off a wipe and hash of a target drive.
It would cost me hours of court time to explain why it is not necessary to wipe when using a container.
Sure, and you should also wear gloves and a gas mask when analyzing a hard disk, to be on the safe side, or even better build a "clean room" to avoid data contamination.
I do understand your practical approach ) , but it's exactly this kind of approach that dumbs down humanity, those who know how things work lower themselves to the level of those that don't know a s***t about them ( , and what starts as an urban myth becomes "accepted standard" or - worse - "compulsory procedure".
Be a man! wink
Fight for your beliefs! !
jaclaz
I very largely agree with Jaclaz.
The main area I feel has become a myth is that if there is a hash value, the answer is correct. In this example, I think a wipe is very valid, followed by a verify, but I do not understand the reason for a hash. Unless one has a table of hashes for every size of blank disk, it is just a long number with zero meaning
The main area I feel has become a myth is that if there is a hash value, the answer is correct. In this example, I think a wipe is very valid, followed by a verify, but I do not understand the reason for a hash. Unless one has a table of hashes for every size of blank disk, it is just a long number with zero meaning
I am happy that you agree with me ) , but I am not sure to get it ? .
We do know (I hope) that when doing sector level copy there is no difference whatsoever between a stream of bytes (a whole disk cloned) written on a completely wiped hard disk or to a disk used till one minute before to hold the (say) your private collection of p0rn movies 😯 or the accounting data of your firm roll .
I mean, if you write 10,000,000 sectors, and you read them again, unless a write error occurred, whatever was there before is lost and the newly written 10,000,000 sectors are what you read (and the hashes of the sources and of the target are the same).
As I see it the same happens for a "container" like an Encase image.
The only possible issue I can see is the differences if you do a sector level copy of the "target" drive and the Encase image file is fragmented.
Then there would be a difference as in the wiped disks not used sectors will be all 00's whilst in the used and not sanitized hard disk they can be *whatever*, but still the image files will be identical and the hashes will match.
BUT JFYI, there is a little tool to calculate the hash of n 00ed files/sectors, maybe you missed it
http//www.forensicfocus.com/Forums/viewtopic/t=5077/postdays=0/postorder=asc/start=9/
http//
jaclaz
The issue we are discussing is wiping a new disk - before putting a container image file, or disk image on it. A hash of a file is useful, and a file may be an encase image. This will show that the file has not been changed.
The hash of a blank disk is to make sure that the disk does contain any previous information. I think it may be easier to explain to a judge that every sector was tested to make sure it was blank, rather than trying to explain that the disk had a hash value of 1234…. and you ran a program to determine a hash value for a disk of 345… sectors, and the hash values were the same. Surely the judge just wants to know that the disk was blank.
Keep it simple, a hash is not required.