Atola Technology

Comparing Hashes of Source and Target to Find Modified Data

So you have a Source evidence drive and its image on a different device, and you have a record that their hash values were identical in the past.

If you get a different hash value when you calculate the hash of the target now, it could be due to hardware failure, or because the device containing your image was used by a third party.

To understand how substantial these changes are, you will want to locate the sectors that have been modified.

  1. In the Disk Utilities category click Compare subcategory.
  2. Make sure that the whole range of sectors of the drive and radio button next to Device on DiskSense Target Port option is selected
  3. Click Compare button.

Atola Insight Forensic’s high-performance compare function will compare the source and the target and will help you identify and locate the modified sectors:

Case Management: Print reports from a case

Insight’s Case Management system includes flexible printing functionality. To print a report click the Print link in the case’s Home page.

In the Print Case History window you get all the reports listed, sortable by date or by reported operation. It is possible to tick just some of the reports or select all reports in the case by ticking the check box in the header of the list. Below there are all pictures attached to the case, which you can also select to be printed.

At the top of the Print Case History window there are four check boxes with report listing and printing settings (click on the Case Management arrow to view all check boxes):

  • Insert page break after every report on print
  • Also show miscellaneous reports hides/displays all reports of seemingly minor importance, yet essential to some forensic specialists in accordance with their internal procedures
  • Also print CSV logs allows the printed version of the reports to include operation logs saved in CSV format
  • Also print segmented hashes also enables segmented hash saved in CSV files to be included in the printed version of the reports

It is possible to print or save the selected reports and pictures in a PDF, HTML or RTF file by clicking Save to file… or Print buttons.

If you have ticked the two later options, this is how the log and the segmented hashes will be displayed in the report:

How we test our devices

Today we are offering you a sneak peek into Atola Technology office to show you our device storage system.

As you know, Atola Insight Forensic and Atola Recycler both support the vast majority of 1.8-inch, 2.5-inch, 3.5-inch IDE, SATA and USB hard drives, USB Flash media as well as SD, Compactflash, and Memory Stick cards. Over the years, we have accumulated hundreds of devices to develop and test our systems on them. Some of the drives date back to 2003, when the company was founded, others were purchased or donated more recently.

Many are damaged, yet they are precious to us: we actually bought most of them in this condition to make sure our acquisition systems are equal to the challenge of imaging such devices.

Each device has a unique history with us, so from the early days, we have had a database listing the drives and documenting their specifications, origin, condition and contents. Airtable allows adding various details including pictures of actual devices to help us quickly find the most appropriate drive for our purposes.

But the fact that the drives were stored in boxes sorted by a few rough criteria made finding devices a challenging task. At one point we realized we needed to have an efficient storage system in place, which would help us store the drives correctly and locate them efficiently. And no generic solution would suit us. So we hired a company to design and produce it for us. That is how this beauty came into existence:

Each drive has a number, is stored in a static-shielding bag tagged with colored stickers to help immediately identify the condition of a drive if you need to grab an appropriate drive quickly without checking the database. Our team members each have a set of tokens with their names that must be left in place of the drives when they are removed from their cells. All for easy tracking of the drives and their whereabouts.

Calculating MD5 and SHA1 hashes of an existing E01 file

It is not uncommon that source evidence drives and their images may be involved in a long-running investigation case or wait to be presented in court for months or even years. Data stored on hard drives or image files may get corrupt over time. That is why an investigator may need to ensure the integrity of data on these devices or image files before resuming to work with them or presenting them in court.

Over the years, E01 file format has become a popular format for forensic purposes due to its ability to store not only the physical or logical copy of the source drive, but also case and evidence details. E01 file can also contain both MD5 and SHA-1 hashes. And it is considered a good practice among forensic specialists to calculate both hashes while imaging the evidence so that they are included in the E01 file.

To view the hash calculated for an E01 file with Atola Insight Forensic, open the file by pressing the Plus icon in the port bar and then selecting E01 image files (*.E01) file extension in the drop-down menu to view existing files with this extension.

 

In the Home page look through the File History and click on the Imaging target link.

 

This will open an Imaging target report, at the bottom of which you will be able to see both hashes calculated during the imaging session.

You may leave this window open or save the report as a pdf file to compare the hash with the newly calculated one later.

Then go to Calculate Hash page in Hashing category of the left-side menu and select Linear in Hash method drop-down menu and MD5 and SHA-1 in Hash type drop-down menu.

 

Once the hashes have been calculated, you can make sure that the two sets of hashes are identical.

Creating a logical image of a source drive

While physical imaging involves sector-for-sector copying the whole evidence drive from the first LBA to the last one, logical acquisition implies bit-for-bit copying of the file structure.

Logical acquisition is handy, when time is limited and you need to quickly start working with the file structure. At the same time, logical image does not include remaining fragments of previously deleted files, which makes this imaging method incomplete. On top of that, hash values of the source and the target will not be identical. Therefore, for profound investigation, it is still preferable to use a physical image.

This guide will show how Atola Insight Forensic’s flexible imaging functionality enables users to perform selective logical imaging.

In the Imaging category of the left-side menu there is I want to image drop-down menu, where you can select All sectors with data or All sectors with metadata options.

When you choose All sectors with data, you can image the whole system structure of the drive including folders and files, while omitting the areas with no data or fragments of previously deleted files.

By going for All sectors with metadata option you can image the system structure without data within its files (e.g. MFT in NTFS) for file browsing and selecting specific files to be imaged in full. For more information on this please watch this video guide: Benefits of Imaging Metadata.

When you select either of these two options, imaging log adds a message about the partitions Insight has been able to find.

Once imaging is complete, you can view the structure of the logical image you have obtained by clicking Analyze target image.

This will open the Target port.

  1. Click Scan partitions button
  2. Select any of the imaged partitions you want to
  3. Click Open partition button

In our example, we have imaged all sectors with data, and the partition we open contains the file structure and files, which we can explore, open and analyze.