[Dorset] md5sum mismatch
Hi, i am looking for any suggestions which will help with the following issue. I am trying to image a Western Digital 40gb hard-disk, to be added into the Autopsy tool as evidence on a case i have manufactured. The drive is connected via USB as an external drive and being imaged to the internal hard-disk of a ubuntu server. I have tried using:- dd if=/dev/sdg of=/home/sdg.dd bs=512 dd if=/dev/sdg of=/home/sdg.dd bs=2048 dcfldd if=/dev/sdg of=/home/sdg.dd md5sum /dev/sdg each command returns a different md5 hash. I have repeated the md5sum command several times between running the other commands and the md5sum is consistent with this command, so i know the original disk is not being written to. the dd and dcfldd commands always return: "amount of files" +1 files in "same amount" +1 files out. The hashes match between device and image file on each occurrence but none match the result returned by the md5sum command. I hope i am being clear enough here, and if anyone could shed some light on how this would happen, it would be greatly appreciated. kind regards, shane -- The contents of this e-mail (and any attachments) are intended for the named addressee only. It contains information which may be confidential and which may also be legally privileged. If you have received this message in error, please do not copy it, disclose it to any other party or take any action in reliance on it. Please notify us immediately by reply e-mail and then delete it from your system. Any opinion or advice or information contained in this email is not necessarily that of the owners or officers of this company. Please note that neither the company nor the sender accepts any responsibility for viruses and it is your responsibility to scan the email and attachments if any. This electronic mail and all attachments have been scanned for computer virus infections. The company and its subsidiaries reserve the right to monitor and investigate e-mail communications through its computer and communications networks. Ambertec Limited is a company registered in England and Wales No: 3640959 Registration office: 17 Moneyfly Road, Verwood, Dorset VAT registration No: 781 3064 35 -- Next meeting: Bournemouth, Wed 2010-02-03 20:00 http://dorset.lug.org.uk/ http://www.linkedin.com/groups?gid=2645413 Chat: http://www.mibbit.com/?server=irc.blitzed.org&channel=%23dorset List info: https://mailman.lug.org.uk/mailman/listinfo/dorset
Re: [Dorset] md5sum mismatch
Hi Shane, > I am trying to image a Western Digital 40gb hard-disk, to be added > into the Autopsy tool as evidence on a case i have manufactured. > The drive is connected via USB as an external drive and being imaged > to the internal hard-disk of a ubuntu server. > I have tried using:- > dd if=/dev/sdg of=/home/sdg.dd bs=512 > dd if=/dev/sdg of=/home/sdg.dd bs=2048 > dcfldd if=/dev/sdg of=/home/sdg.dd > md5sum /dev/sdg > each command returns a different md5 hash. dd doesn't return an MD5 hash. Do you mean you've done `md5sum /home/sdg.dd' when dd finished? Odd they differ. > I have repeated the md5sum command several times between running the > other commands and the md5sum is consistent with this command, so i > know the original disk is not being written to. OK. > the dd and dcfldd commands always return: > "amount of files" +1 files in > "same amount" +1 files out. Can you be more precise? For a plain dd, it would be nice to know the block size used and the two lines that say. The +1 is weird for a bs=512. 123546+1 records in 123546+1 records out > The hashes match between device and image file on each occurrence but > none match the result returned by the md5sum command. I'm a bit confused by here. A cut and paste of the commands done and their output can often be easier than English. :-) You said at the top /dev/sdg always md5sums to the same value, but now it seems you're saying that /dev/sdg sometimes md5sums to the same as the just-made image. Can you create different image files? And then run cmp(1) on them to see where they differ? Then hd(1) with its -n and -s option to inspect an area starting there? That may give some idea of the nature of the problem. cmp's -l option would let you know how long they differ for too. Cheers, Ralph. -- Next meeting: Bournemouth, Wed 2010-02-03 20:00 http://dorset.lug.org.uk/ http://www.linkedin.com/groups?gid=2645413 Chat: http://www.mibbit.com/?server=irc.blitzed.org&channel=%23dorset List info: https://mailman.lug.org.uk/mailman/listinfo/dorset
Re: [Dorset] md5sum mismatch
Hi again Shane, > Can you create different image files? And then run cmp(1) on them to > see where they differ? And check the number of bytes in each of them is the same to start with an matches what dd, etc., would have told you. Also, does plain dd give same result each time, and it's only different commands that differ? Cheers, Ralph. -- Next meeting: Bournemouth, Wed 2010-02-03 20:00 http://dorset.lug.org.uk/ http://www.linkedin.com/groups?gid=2645413 Chat: http://www.mibbit.com/?server=irc.blitzed.org&channel=%23dorset List info: https://mailman.lug.org.uk/mailman/listinfo/dorset
Re: [Dorset] md5sum mismatch
Hi Shane, One more thing, ditch the USB interface if possible and connect the drive more directly. Since I don't know how it works, I'm skeptical that it isn't causing the odd issue. It would be interesting to hear what the problem was if you get to the bottom of it. There's quite a few of us that have had to use things like GNU ddrescue on hard discs in the past. Cheers, Ralph. -- Next meeting: Bournemouth, Wed 2010-02-03 20:00 http://dorset.lug.org.uk/ http://www.linkedin.com/groups?gid=2645413 Chat: http://www.mibbit.com/?server=irc.blitzed.org&channel=%23dorset List info: https://mailman.lug.org.uk/mailman/listinfo/dorset
Re: [Dorset] md5sum mismatch
Does this help http://adammooz.wordpress.com/2009/07/14/dcfldds-md5-vs-md5sum/ Steve On 04/02/2010 12:02, shane fail wrote: > Hi, i am looking for any suggestions which will help with the following > issue. > I am trying to image a Western Digital 40gb hard-disk, to be added into > the Autopsy tool as evidence on a case i have manufactured. > The drive is connected via USB as an external drive and being imaged to > the internal hard-disk of a ubuntu server. > I have tried using:- > dd if=/dev/sdg of=/home/sdg.dd bs=512 > dd if=/dev/sdg of=/home/sdg.dd bs=2048 > dcfldd if=/dev/sdg of=/home/sdg.dd > md5sum /dev/sdg > each command returns a different md5 hash. > I have repeated the md5sum command several times between running the > other commands and the md5sum is consistent with this command, so i know > the original disk is not being written to. > the dd and dcfldd commands always return: > "amount of files" +1 files in > "same amount" +1 files out. > The hashes match between device and image file on each occurrence but > none match the result returned by the md5sum command. > > I hope i am being clear enough here, and if anyone could shed some light > on how this would happen, it would be greatly appreciated. > > kind regards, > > shane > > > > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 9.0.733 / Virus Database: 271.1.1/2666 - Release Date: 02/03/10 > 19:35:00 > > -- Next meeting: Bournemouth, Wed 2010-02-03 20:00 http://dorset.lug.org.uk/ http://www.linkedin.com/groups?gid=2645413 Chat: http://www.mibbit.com/?server=irc.blitzed.org&channel=%23dorset List info: https://mailman.lug.org.uk/mailman/listinfo/dorset
Re: [Dorset] md5sum mismatch
Hi Steve, > Does this help > http://adammooz.wordpress.com/2009/07/14/dcfldds-md5-vs-md5sum/ My understanding was that by the time the Linux kernel returns the data to dd(1), there hasn't been any disc problem. IOW, the drive corrected the issue itself, either by multiple reads, ECC, or whatever. If the drive has to give up, it tells the kernel, and the kernel tells dd(1), e.g. read(2) returns -1 with errno set to EIO. Sometimes, it seems the kernel will also have multiple goes, but the end result is the same; no random data, or zeroes, is returned to dd in lieu of pucker bytes. That's how dd(1) work, however, it seems dcfldd has options as to what to do when the kernel says there's a read error, including continuing through the rest of the drive. And it can vary how that affects the MD5 digest. See http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=4992 for some of the gory details. I don't think I'd find myself using dcfldd. I'd not heard of it before. TBH, I'd use GNU ddrescue(1), package gddrescue in Ubuntu, and its --direct option to have it image the drive, passing O_DIRECT to the kernel so it gets out the way. ddrescue tells you when there's bit of disc that are a problem and skips over them. But then you run it again, and again, increasing the number of retries until it, hopefully, gets all the data. It can keep track, between runs, of what's been recovered. It worked very well when I had a faulty drive to recover. Older versions don't have --direct but can do the same thing with raw(8) setting up a raw device for the drive. The documentation is very useful. Having got an image, I'd then get a digest for the image file. Cheers, Ralph. -- Next meeting: Bournemouth, Wed 2010-02-03 20:00 http://dorset.lug.org.uk/ http://www.linkedin.com/groups?gid=2645413 Chat: http://www.mibbit.com/?server=irc.blitzed.org&channel=%23dorset List info: https://mailman.lug.org.uk/mailman/listinfo/dorset
