Re: Two hash

On Sat, 11 Dec 2004 13:45:35 +0100, LERTI - Paul Vidonne
<paul.vidonne@lerti.fr> wrote:
> Hello,
>
> How can a same physical disk can receive a different hash (MD5)
> from EnCase and Linux md5sum ? (both through a drive lock) ?
> Does smb meet this question ? Thanks.
>
> --
> LERTI - Laboratoire d'Expertise et de
>   Recherche de Traces Informatiques
> http://www.lerti.fr +33.4 76 90 65 97

I hate to say it, but I have never verified that those 2 md5 checksums
should match.  (ie. Encase may hash the drive + some of its own meta
data overhead.)

If encase does indeed only md5 hash the physical drive, you can still
get problems because:

1) Encase from windows definately does not capture the HPA (host
protected area) if it is present.  Linux with a 2.6 kernel will
capture the HPA, so if your drive has a HPA on it you would get a
disagreement.

2) I don't know if Encase from DOS captures the HPA or not, if not and
your disk has one, you again have a disagreement.

3) If you are using an external USB carrier, some of them have an
off-by-one error when reporting the total sectors of the drive.  This
can cause linux to not capture/hash the last sector.  I don't know how
dos/windows handles this.

I'm sure there are other potential issues as well, if none of the above.

Greg
-- 
Greg Freemyer
The Norcross Group

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com