Anything related to computer forensics (new section!)
August 4th, 2015, 12:28
Hi All,
Let's say for acquisition, "dc3dd" command is used and in the Linux system write blocker is implemented using udev rules.
Now I noticed that when dc3dd encounters a bad sector it flips the "acquiring" device from read only into read/write and tries to recover the bad sector and subsequently uses zero as the value for hash calculation.
Is it possible to prevent this occurrence? Is there any way it can be specified so that when bad sector is encountered, skip that sector and for hash calculation do not include that sector?
Thanks In Advance
August 5th, 2015, 2:43
Hi,
I don't know if you can skip a bad sector but IMHO you should not do that.
Every forensic acquisition software I know fills bad sector with 0x00 (or any other pattern) and include them for the hash calculation.
The important thing is to log bad sectors and with what pattern they were filled, that way the process is reproducible and if you encounter the same bad sectors, the hash should be the same.
August 5th, 2015, 4:20
Hi,
I am concerned because it changes the source to be read/write from read only in the process to try to write zeros into it.
Let's say we skip the bad sectors the calculated hash should be the same if for example the acquisition is done again since bad sector will always be a bad sector? (Not sure for this part though)
That's why wondering if it is possible to skip the bad sectors. But so far dc33d, dd and even guymager software all flips the read only when bad sector is encountered.
Not sure there is any other tool that can do acquisition without flipping.
August 5th, 2015, 5:13
Perhaps you should try using a hardware write blocker.
Suggest you pick up one of these if your going to be doing a lot of forensic imaging mate
https://www.guidancesoftware.com/produc ... idges.aspx
August 5th, 2015, 21:47
Yes mate,
I think either hardware blocker or kernel patch to disable read/write permanently could be the last resort.
Seems like an OS issue, as I tried with dd, dcfldd and guymager and all showed the same phenomenon.
August 6th, 2015, 2:44
Be carefull with hardware blocker and disks with many bad sectors.
They don't always behave as expected and can kill the disk.
August 16th, 2015, 2:52
Tableau tools are good, but I use SalvationData ( dead tool ) like as a hardware write-blocker in Linux.
One of the future you can set PIO/UDMA hardware switch and mix with dd_rescue with -r command.
Powered by phpBB © phpBB Group.