Verifying your disk imageWhen working with your disk image, verification of the data should always be included in your workflow. In the case of a multi-part image, we should have at least two hashes:
- A hash for the total disk image
- A hash for each part of the disk image
This is especially true for raw disk images, since they have no built-in checksum like expert witness format.
A hash for the total disk image is normally created by your acquisition tool, and can be found in the acquisition report. FTK Imager does not create a hash for each part of a multi-part image.
In this case, we may need to generate our own hashes using FTK, or another tool.
Why do I need hashes for each part?
If you have a hash value for the overall disk image, then - in terms of court - you will be able to show that the suspect data has not changed from the time that the disk was first acquired. However, having hashes of each part of the image can help in one major way.
The Expert Witness Format that EnCase uses has checksums every 32KB that enables verification of parts of a disk image. If one part of a disk image changes, we can potentially still use the other parts of the image that can be verified with their checksum, even if the overall hash can not be verified.
With a multi-part RAW image, we can get similar functionality by hashing each part. Each part can then be verified, along with the overall hash. If the overall hash is not valid, hashes of each part can be used to determine what part has changed. Other parts that can be verified may still be used.
Loading a multi-part image
When many tools load a multi-part image, they may only show the filename of the first part of the image. If the tool is made 'for forensics', then the tool will likely load the entire image under the first filename. In this case, verify that the tool can:
- Detect the full size of the original disk image
- Can generate the correct hash value for the original image