I have a case where an examiner is refusing to copy a drive because it is having an MD5 verification mismatch. Anyone have any insight into this problem and ramifications legally if the MD5 isn't matching the image they took on site.
I have a case where an examiner is refusing to copy a drive because it is having an MD5 verification mismatch. Anyone have any insight into this problem and ramifications legally if the MD5 isn't matching the image they took on site.
I assume you are referring to the Acquisition Hash and the Verification Hash of the E0 files EnCase creates?If you have a difference in the MD5 Hash from acquisition to verification and you are using EnCase to do the actual acquisition and verifying and not some other tool for MD5 hash comparision then you could have a corrupt evidence file on your hands. I would ask the examiner politely to load the evidence files into EnCase and run a file integrity check to see what comes back. If all is well you should get matching hashes and no CRC errors.
Like BPerk said….
Is that examiner hashing your Exx file(s) and then comparing that hash to the hash that Encase reports during acquisition and imaging? If so, they will not match since Encase adds its own error checking to an Exx file.
However, if the acquisition hash differs from the verification one, then you may have a corrupt image file or you (someone) stepped on your original evidence drive.
-=Art=-
Art thank you very much for your kind response.
What legal ramifications or cases does anyone know about where that poses a huge problem where the md5 verification and acquisition don't match
Greetings,
It could range from zero impact to making it impossible to prosecute the case. You've not provided us with enough information. Is this the only evidence? Can someone articulate why they don't match? Does the MD5 mismatch only apply to one of the files within the image? (If so, the other segments of the image are still "good".) Can you go get a new image of the original drive and perform the analysis again?
-David
What legal ramifications or cases does anyone know about where that poses a huge problem where the md5 verification and acquisition don't match
Without more explicit information about the process and issue, I'm not sure anyone can discuss ramifications. For example, in your original post, you mention "copy a drive" and then later you mention an image. So what's going on?
Can you compare the two files and see what the differences are. A single bit will cause an MD5 difference.
If the differences are small these could be explained, and the files involved isolated.
I do not know if Encase can do simple compares. but one way would be to convert bother images to a DD and do a simple binary compare. (fc /b in DOS).