Bon Soir Paul,
Different operating systems have their own peculiarities when it comes to
drive access. For instance, Linux has an internal block size of 1024 bytes,
whereas disk block size is 512 bytes. As a consequence, Linux is unable to
read the last sector on hard drives with an odd numbers of sectors. This
type of disk is rare, but exist.
Windows, on the other hand, seems to use an internal cylinder/head/sector
representation even though this has been made obsolete by the LBA scheme.
Windows is therefore notorious for an inability to read the last sectors of
a drive that is beyond the last cylinder boundary of the internal
representation. As a consequence, all software running under windows have
this problem if they read the disk through the operating system.
I believe however that EnCase has found a way to bypass this limitation, so
I believe that you will find the newer versions of EnCase has fixed the
issue. However, EnCase is still not able to write to those sectors when
running under windows, thus it is not possible to completely _wipe_ all
sectors of a disk using EnCase for Windows.
From what I have seen, all other wiping tools running under Windows suffer
from the same problem, but others have also found a way to read the last
sectors. This might indicate that writing to the last sector is indeed not
possible under windows.
It would be interesting to see if you problem persists with the newest
version of EnCase.
--
Svein Y. Willassen, M.Sc.
Phone: +47 92449678
-----Original Message-----
From: LERTI - Paul Vidonne [mailto:paul.vidonne@lerti.fr]
Sent: 13. desember 2004 16:02
To: forensics@securityfocus.com
Subject: Re: Two hash
At 13:45 11/12/04 +0100, LERTI - Paul Vidonne wrote:
How can a same physical disk can receive a different hash (MD5)
from EnCase and Linux md5sum ? (both through a drive lock) ?
Does smb meet this question ? Thanks.
Many thanks to those who raised questions and try to help me.
Linux used is Fedora distribution, kernel 2.6.8 and MD5Sum
is from coreutils version 5.2.1. Of course, disk to be checked
was not mounted. Binary and text give the same hash (option -i)
EnCase version is 3.19 (yes, I know, an old one, but it's not
the source of the problem). DOS is 7.10.
DiveLock (on USB) is from Intelligent Computer Solutions.
I note he following drive geometry and MD5 :
Linux/(hdparm /dev/sda )/disk on IDE port or Drivelock on USB
: CHS 10337/240/36 Sectors : 156 301 488
: MD5 say "number1"
EnCase/Windows 2000/disk on Drivelock on USB
: CHS : 9729/255/63 Sectors : 156 296 385
: MD5 say "number2"
EnCase/DOS/disk on IDE port
: CHS 16383/16/63 Sectors : 156 301 488
: MD5 say "number 1"
EnCase/DOS/disk on Drivelock on USB
: CHS 9729/255/63 Sectors : 156 301 488
: MD5 say "number 1"
When selecting the number of sectors to acquire, EnCase on Windows
don't accept more than 156 296 385. I suppose differences of hash
come from the 5 103 missing sectors. But why are they missing ?
--
LERTI - Laboratoire d'Expertise et de
Recherche de Traces Informatiques
http://www.lerti.fr +33.4 76 90 65 97
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
