Atola Technology

Calculating MD5 and SHA1 hashes of an existing E01 file

It is not uncommon that source evidence drives and their images may be involved in a long-running investigation case or wait to be presented in court for months or even years. Data stored on hard drives or image files may get corrupt over time. That is why an investigator may need to ensure the integrity of data on these devices or image files before resuming to work with them or presenting them in court.

Over the years, E01 file format has become a popular format for forensic purposes due to its ability to store not only the physical or logical copy of the source drive, but also case and evidence details. E01 file can also contain both MD5 and SHA-1 hashes. And it is considered a good practice among forensic specialists to calculate both hashes while imaging the evidence so that they are included in the E01 file.

To view the hash calculated for an E01 file with Atola Insight Forensic, open the file by pressing the Plus icon in the port bar and then selecting E01 image files (*.E01) file extension in the drop-down menu to view existing files with this extension.

 

In the Home page look through the File History and click on the Imaging target link.

 

This will open an Imaging target report, at the bottom of which you will be able to see both hashes calculated during the imaging session.

You may leave this window open or save the report as a pdf file to compare the hash with the newly calculated one later.

Then go to Calculate Hash page in Hashing category of the left-side menu and select Linear in Hash method drop-down menu and MD5 and SHA-1 in Hash type drop-down menu.

 

Once the hashes have been calculated, you can make sure that the two sets of hashes are identical.

Creating a logical image of a source drive

While physical imaging involves sector-for-sector copying the whole evidence drive from the first LBA to the last one, logical acquisition implies bit-for-bit copying of the file structure.

Logical acquisition is handy, when time is limited and you need to quickly start working with the file structure. At the same time, logical image does not include remaining fragments of previously deleted files, which makes this imaging method incomplete. On top of that, hash values of the source and the target will not be identical. Therefore, for profound investigation, it is still preferable to use a physical image.

This guide will show how Atola Insight Forensic’s flexible imaging functionality enables users to perform selective logical imaging.

In the Imaging category of the left-side menu there is I want to image drop-down menu, where you can select All sectors with data or All sectors with metadata options.

When you choose All sectors with data, you can image the whole system structure of the drive including folders and files, while omitting the areas with no data or fragments of previously deleted files.

By going for All sectors with metadata option you can image the system structure without data within its files (e.g. MFT in NTFS) for file browsing and selecting specific files to be imaged in full. For more information on this please watch this video guide: Benefits of Imaging Metadata.

When you select either of these two options, imaging log adds a message about the partitions Insight has been able to find.

Once imaging is complete, you can view the structure of the logical image you have obtained by clicking Analyze target image.

This will open the Target port.

  1. Click Scan partitions button
  2. Select any of the imaged partitions you want to
  3. Click Open partition button

In our example, we have imaged all sectors with data, and the partition we open contains the file structure and files, which we can explore, open and analyze.

Case Management: Finding and Opening a Case

Insight’s Case Management system records every step of data acquisition process saving them into reports grouped by cases.

To view the whole list of cases and their devices:

  1. Go to Case category in the top menu
  2. Click on Search/Open option

In the Search and Open Case window you will see the list of all the devices that have ever been connected and identified by your Insight.

It is possible to search for cases using multiple criteria and sort the results ascending or descending in any of the columns.

Please note that it is possible to store multiple devices under the same case number, allowing you to keep track of all devices related to a certain case.

Once a device is selected, you get a preview of the case including device details: when the case was created (i.e. the device was connected to the unit and identified by Insight for the first time), last time it was opened, the device model, serial number and description.

The case opens as a separate port in the Top Bar of the Insight window.

Q&A during Forensic Europe Expo

Atola team attended the annual Forensic Europe Expo on May 3 – 4 in London. We were pleased to meet both our existing and potential customers, and answer their questions about Atola Insight Forensic. Those of you who were not able to attend this event may have similar questions, so here are the most frequently asked ones at the Expo and our answers to them. We would be happy to answer any further queries you may have, so please don’t hesitate to write a comment below or send us a message here.

 

Question: Does write protection work for SATA source drives only?

Answer: No, write protection works for all source ports: SATA, IDE, USB & extensions.

 

Question: You claim that Atola Insight Forensic is capable of imaging even bad drives. What does a bad drive mean?

Answer: By bad drives we imply various types of drive issues, namely:

  • Scratches on the media surface
  • Magnetic layer wear-out
  • Degraded or even non-working head
  • Drive freeze after reading attempt
  • Firmware issues
  • Bad sectors

Atola Insight Forensic is capable of dealing with devices, which competitor products cannot even identify.

 

Question: What are the advantages of Atola Insight Forensic compared to ddrescue open source data recovery tool?

Answer: Here are some of the functions that Atola Insight Forensic provides and that ddrescue lacks:

  1. For Insight we have developed functionality that specifically helps image freezing damaged drives.
  2. Insight’s diagnostics function identifies damaged heads, while advanced imaging settings allow head selection to perform imaging in a fast and, most importantly, cautious manner to avoid causing further damage to the evidence drive.
  3. Insight can image to multiple targets at the same time, both hard drives and files.
  4. Forensic procedures require hash calculation to be a part of the acquisition process. Insight has a very flexible hash calculation functionality: it can simultaneously calculate MD5 and SHA hashes of the source before, during or after imaging, and target drive’s hash can be calculated in conjunction with imaging or as a separate action.
  5. Built-in write protection.
  6. Insight’s in-depth diagnostics helps identify the drive status and, based on that, the right way to handle the drive for successful data acquisition.
  7. Insight’s overcurrent protection detects when the hard drive draws abnormal current and stops the hard drive to prevent any further damage to the system and the drive.
  8. Insight’s automatic password removal function can extract an unknown ATA password and unlock the drive in under 2 minutes with just a few mouse clicks.

These are just a few of the key features that Insight has to offer as opposed to ddrescue. For more information about the product please follow this link.

 

Question: When coming across bad sectors on the source drive in the course of imaging, how does Insight deal with the corresponding sectors on the target drive?

Answer: Such sectors can be either left alone (skipped), or filled with a pattern. The default pattern that is used to fill the sectors that are not readable is 00. However, it is possible to enter any other pattern or even load the pattern (of any length) from a file. To use this option:

  1. Navigate to Imaging category of the left-side menu
  2. Click the Create New Session link
  3. In the Preset line click the Show settings link
  4. Tick the check box next to Fill unreadable sectors with the following pattern (HEX):
  5. Leave the default pattern as it is or enter/upload a new one
  6. Click Save settings button if you would like to make this new pattern the default one or, should it not be the case, simply click Start imaging button.

Verifying Damaged Target Images with Segmented Hashing

Last November Atola Technology team presented a new hashing method called Segmented hashing. Unlike the conventional linear hashing, segmented hashing produces not a single hash, but a list of hashes of corresponding LBA ranges of the image saved into a CSV file in this format:

Hash, start LBA, end LBA

By validating all hashes on the list, you can prove that the entire image has not been modified. For more information about this hashing method, please follow this link: Segmented Hashing.

While this method of hashing has a number of benefits for forensic specialists, among its strongest advantages is its applicability to damaged drives.

For one, this non-linear hashing method allows calculating hashes of the good areas of evidence media, while bad areas that are impossible to read and image, are left out of the calculation.

Secondly, if your acquired evidence image is damaged at some point in the future, with the regular linear hashes you will get a hash mismatch upon verification, and the entire image becomes useless, whereas with segmented hashes only the hash of the damaged segment will become invalid. For example, in the case of a 4TB hard drive, if the default 4GB segment size is applied, one invalid hash will account for only 0.1% of the drive, while the remaining 99.9% of hashes can still be verified.

Verifying segmented hashes

For instance, you have imaged a source drive and calculated its segmented hashes, the CSV file is stored on your computer. Now let’s simulate a change of the evidence image to see how Segmented hashing helps us identify the areas, whose integrity has not been compromised.

Step 1. Select the target image in the top Port bar. In the Disk Editor subcategory of Device Utilities category of the left-side menu, we can open any sector of the drive. There we can change one byte in sector #35,000,000.

Change one byte in Disk Editor

 

Step 2. In the Hashing category of the left-side menu there is Verifying Segmented Hashes subcategory. This is an automated way to verify the segmented hashes in an existing CSV file against the target image. Select the file with segmented hashes calculated during imaging and click Start.

Start segmented hash verification

 

Step 3. Hash verification is in progress. Here we see 18 segmented hashes checked. Hash for the interval that includes sector 35,000,000 is invalid.

Segmented hash verification in progress

 

Step 4. Hash verification finishes with the proper case report automatically created, also in CSV format.

Segmented hash verification report

This is how segmented hashing helps you avoid the whole image being compromised when a small area of the evidence target is damaged.