Verify Restored Image with MD5

Log Out | Topics | Search Moderators | Edit Profile

Author Message   Robert Kelso Username: rkelso Registered: N/A Posted on Tuesday, Jun 19, 2007 - 20:39:    I'm going through a process of using WinHex to image an "evidence" drive, write that image to an empty hard drive for safe keeping, then restore the image to a second "working" empty hard drive to browse around in. I can verify using MD5 hashes that my original "evidence" drive and my image match. I cannot, however, find a way to verify using a MD5 hash that my restored image matches either my image files or my original evidence drive. A MD5 hash of my new "working" drive does not match the MD5 of my image or the MD5 of my evidence drive. The MD5 of my image and of my evidence drive are the same of course. Misc: I'm using WinHex 14.1 SR-3 Specialist license Image is .dd format split up into 2GB pieces   Stefan Fleischmann Username: admin Registered: 1-2001 Posted on Tuesday, Jun 19, 2007 - 21:13:    Sounds completely normal. You cannot possibly expect the new working drive to keep the same hash value. One reason is that if it's not exactly the same hard disk model, it probably has a different total number of sectors. A solution for that would be to selectively hash the correct range of sectors only. Another reason is that after WinHex has completed copying/restoring the image to that working drive, Windows obviously can access that drive, i.e. alter timestamps, update/create the recycle bin, etc. plus you "browse around", thereby probably altering even more timestamps. Shouldn't give you headaches, it's a normal effect. Restoring the image to a working drive usually is not done or necessary, however, as you can much more conveniently, much more efficiently and much more thoroughly examine all the data/files within the image with a complete computer forensics software such as X-Ways Forensics.   Robert Kelso Username: rkelso Registered: N/A Posted on Saturday, Jun 30, 2007 - 18:23:    Thanks Stephan. The restore to a working drive was a request from the client so they could "poke around" themselves. The understaood the value of making a forensic image to store safely somwhhere, but for now, they want to be the ones to look around the drive. They, of course, do not have the forensic tools necessary to explore an image file. Thanks for your clarification.