Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Recommend Us
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: itsikre
New Today: 2
New Yesterday: 0
Overall: 27016

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 RISC OS Forensics
 Forensics Data Acquisition in Windows XP vs. Windows 7
 scramble bits vs encryption
 is this image photoshopped?
 Encase v7.09 -fips integrity test

Computer Forensics World Forums


Pages Served
We received
32655507
page views since August 2004

Security Sources

Firewalls
Cryptography
ISO 17799 ISO 27001
ISO 17799 Toolkit
ISO 27001 & 27000
Disk Analysis
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Verifying the image of entire hard disk in windows XP
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Verifying the image of entire hard disk in windows XP

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues
View previous topic :: View next topic  
Author Message
Mohsen
Newbie
Newbie


Joined: Mar 08, 2011
Posts: 13

PostPosted: Wed Aug 31, 2011 6:15 pm    Post subject: Verifying the image of entire hard disk in windows XP Reply with quote

Hello,

As usual, windows make harsh time for me doing very simple tasks!!

I will describe the details so it might be helpful for others …


The problem begins when I used dd to make a forensic copy of the whole hard disk of the suspect with this command:
z:\dd if=\\?\Device\Harddisk0\Partition0 of=z:\case.dd
Then I used
z:\fciv –add case.dd -both >> case.dd.hash
Now, the problem is getting the hash check-sum of the entire hard disk,
I tried
• “\\?\Device\Harddisk0\Partition0” --> “Error: The system cannot find the path specified.”
• “\\.\PhysicalDrive0” --> “Error: A device attached to the system is not functioning.”


I don’t know what else I can do …

Please note that I don’t want to use GUI tools!

Thank you :)
Back to top
View user's profile
athulin
Newbie
Newbie


Joined: Oct 19, 2007
Posts: 201

PostPosted: Wed Aug 31, 2011 8:54 pm    Post subject: Re: Verifying the image of entire hard disk in windows XP Reply with quote

Mohsen wrote:

Now, the problem is getting the hash check-sum of the entire hard disk,
I tried
• “\\?\Device\Harddisk0\Partition0” --> “Error: The system cannot find the path specified.”
• “\\.\PhysicalDrive0” --> “Error: A device attached to the system is not functioning.”


As you don't say what software you are using for hashing, it's difficult to make any suggestions. You may be better of asking the originator of that software. If it was not intended for forensic use, it may not allow using device paths as source specifications.

However, if the hashing program allows input by stdin, you should be able to use dd, and just pipe the data on to the hashing program.

Quote:
I don’t know what else I can do …


Try Unix-based tools instead?
Back to top
View user's profile
Mohsen
Newbie
Newbie


Joined: Mar 08, 2011
Posts: 13

PostPosted: Wed Aug 31, 2011 10:51 pm    Post subject: Re: Verifying the image of entire hard disk in windows XP Reply with quote

athulin wrote:

As you don't say what software you are using for hashing, it's difficult to make any suggestions. You may be better of asking the originator of that software. If it was not intended for forensic use, it may not allow using device paths as source specifications.


In fact you can see the application I used, in the command syntax.
I used Microsoft FCIV,

Quote:

However, if the hashing program allows input by stdin, you should be able to use dd, and just pipe the data on to the hashing program.


I already generated the dd outcome hash check-sum,
but what I need now, is to verify the hash with the hash of actual files which should be the whole hard disk.

Quote:
Try Unix-based tools instead?


In fact, the system is a live evidence and I cant restart it for sake of evidences ... And running a Unix-based tool under windows (if we want to use some simulators) will face compatibility issues ...

Thanks for reply, anyway Smile
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 482
Location: Marion, Indiana, USA

PostPosted: Thu Sep 01, 2011 2:27 am    Post subject: Reply with quote

If you are hashing a drive while it is live, the hash will be changing ALL of the time.
Back to top
View user's profile
Mohsen
Newbie
Newbie


Joined: Mar 08, 2011
Posts: 13

PostPosted: Thu Sep 01, 2011 2:32 am    Post subject: Reply with quote

cybercop wrote:
If you are hashing a drive while it is live, the hash will be changing ALL of the time.


You are right, but I have to do this,
The matter is how?

In some how, I give up on this and reboot the system and use Helix to make the image ...

But I'm still wondering, why we can not take a hash check-sum of the whole hard disk in windows? That's stupid limitation !!
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 482
Location: Marion, Indiana, USA

PostPosted: Thu Sep 01, 2011 2:36 am    Post subject: Reply with quote

There is no point in a post aquisition hash verification, because the hash WILL be different than the hash was when you created the image.
Back to top
View user's profile
Mohsen
Newbie
Newbie


Joined: Mar 08, 2011
Posts: 13

PostPosted: Thu Sep 01, 2011 2:54 am    Post subject: Reply with quote

cybercop wrote:
There is no point in a post aquisition hash verification, because the has WILL be different than the has was when you created the image.


Again, TRUE ...

Maybe each single millisecond passes, the OS and running instances DO change bits continuously.

I know this face, that it is useless to make this hash for image integrity verification.





Ok, Lets say this in another word:

The hard disk (with some logical partitions) is a secondary H.D.D attached to system, and the hard disk is write-protected by a device like "IDE DriveLocker".


BUT the question is HOW this can be done;
I can not believe that this is impossible in WINDOWS !! Shocked

Thank you,
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 482
Location: Marion, Indiana, USA

PostPosted: Thu Sep 01, 2011 3:05 am    Post subject: Reply with quote

It is not impossible. There are many commercial forensics applications available that can / will do it.
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 482
Location: Marion, Indiana, USA

PostPosted: Thu Sep 01, 2011 3:09 am    Post subject: Reply with quote

Looking back at all of your posts, it really looks like these are all questions for a class in computer security.
Back to top
View user's profile
Mohsen
Newbie
Newbie


Joined: Mar 08, 2011
Posts: 13

PostPosted: Thu Sep 01, 2011 3:12 am    Post subject: Reply with quote

cybercop wrote:
Looking back at all of your posts, it really looks like these are all questions for a class in computer security.



Is it really matter?

If yes, I'm gonna say yes.
But what I do is faraway from class borders ...

Smile
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 482
Location: Marion, Indiana, USA

PostPosted: Thu Sep 01, 2011 3:15 am    Post subject: Reply with quote

It matters in that we do not do homework for people.
Back to top
View user's profile
Mohsen
Newbie
Newbie


Joined: Mar 08, 2011
Posts: 13

PostPosted: Thu Sep 01, 2011 3:19 am    Post subject: Reply with quote

cybercop wrote:
It matters in that we do not do homework for people.



You are wrong, because this is not homework!
This is my profession and ...

I will never say that who is student, and who is doing his job or ...

What matters is WHO WANTS TO LEARN.

------------------------------------------------------------

And here, people supposed to solve something,

Not discussing about ... we can continue by private message.

Thanks.
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 482
Location: Marion, Indiana, USA

PostPosted: Thu Sep 01, 2011 3:29 am    Post subject: Reply with quote

Back to your topic.
The File Checksum Integrity Verifier (FCIV) is a command-prompt utility that computes and verifies cryptographic hash values of files.

That is straight from the description on the http :// support.microsoft . com/kb/841290 page.

It makes no mention of doing checksums of entire drives. It will take a third party tool to do it, but again, we are assuming you have now hooked the drive up as a secondary drive on a lab computer to do the aquisition and checksums.
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops © 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. © 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.