Why is my MD5 hash value changing bet... Log Out | Topics | Search
Moderators | Edit Profile

X-Ways Support Forum » Disk Tools » Why is my MD5 hash value changing between PC's? « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Mike Gibbons
Username: gibbonsm

Registered: N/A
Posted on Friday, Dec 7, 2007 - 21:39:   
Hello Team

Please help!

1. I imaged a 32MB CF is WHX format (PC #1)
2. I computed the MD5 hash and saved it as a text file in the same directory
3. Today the hash value has changed?
4. I copied the WHX image (and text file)from PC #1 to a thumb drive and from the thumb drive to PC #2
5. PC #2 computes the proper hash value stored in the text file
6. I then did a file compare of the thumb drive and my original WHX image (PC #1)
7. The file compare indicates NO DIFFERENCES found
8. I then computed the HASH of the thumb drive and PC #1 WHX file and they are identical but neither matches the original text file

What is going on?????????????

Mike Gibbons
Sugar Land, Texas
gibbons.mike@comcast.net
Top of pagePrevious messageNext messageBottom of page Link to this message

Alfons Kramer
Username: admin3

Registered: 4-2004
Posted on Tuesday, Dec 11, 2007 - 11:17:   
The separation of the two tasks: creating the image and computing the hash can introduce intricate problems. A better idea would be to apply the E01 Evidence File Format. It computes the hash simultaneously during the imaging process.

If the hash doesn't match this can be due to a layering problem: accessing the media once at the device driver level and once at the physical sector level.

There could be write behind data that gets flushed during the imaging process.

The difference can be due to the fact that the media gets marked as mounted.

The difference can be due to the occurrence of an defect sector handling event.

To deal with all those intricacies one should monitor the state of the defect management before and after the imaging (as is done by WinHex Forensics Edition). In addition one should use an USB-Writeblocker.

To be able to reconstruct your hash problem one needs to know: You computed the MD5 hash of what? The WHX-file itself, then WHX-files content or the physical media.

By the way, the WHX-format is intended mainly as a backup format.
Top of pagePrevious messageNext messageBottom of page Link to this message

Mike Gibbons
Username: gibbonsm

Registered: N/A
Posted on Tuesday, Dec 18, 2007 - 18:19:   
Hello Alfons

You are a wealth of information. Thank you Sir!

Mike Gibbons
Sugar Land, Texas
gibbons.mike@comcast.net

Add Your Message Here
Post:
Username: Posting Information:
Only registered users may post messages here, i.e. you need to have an account.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action:
Forum operated by X-Ways Software Technology AG.