Find the answer to your Linux question:
Results 1 to 4 of 4
Hello, I want to clone a hdd to a second hdd to analyze it after. How to do it and keep the same HASH for legal purpose? Thanks....
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2010
    Posts
    1

    Wink clone hdd to hdd and keep same hash


    Hello,

    I want to clone a hdd to a second hdd to analyze it after.

    How to do it and keep the same HASH for legal purpose?

    Thanks.

  2. #2
    oz
    oz is offline
    forum.guy
    Join Date
    May 2004
    Location
    arch linux
    Posts
    18,733
    Welcome to the forums!

    There are a number of good cloning applications for Linux such as Clonezilla, FSArchiver, Ghost4Linux, and PartImage, or you could use the dd command for cloning. As for legalities, you should always consult with a lawyer and few if any of us here are that, but you should be able to use any of the applications above to clone partitions or drives as long as you don't violate any license agreements or someone's privacy.

    Hope I understood your question properly.
    oz

  3. #3
    Just Joined! gnuuser's Avatar
    Join Date
    Nov 2009
    Location
    northwestern Pa, usa
    Posts
    69
    first thing you need is a hardware write blocker to connect to the suspect drive.
    this will prevent accidental writing to the suspect drive
    then you would use the dd command from a forensic distro
    you will need to make an md5 sum of each drive.
    the matching md5 sums are the proof that the evidence wasn't tampered with
    as long as the md5 sums are identical then the copy is useable for forensic analysis.

    if the sums do not match then it was copied incorrectly
    go to the website for the distro you are using for forensics and get the correct command and procedure for drive duplication.

    a good thing to do first is use d-ban on the destination drive (the one you are copying to)this will sterilize it for forensic use

  4. #4
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,639
    gnuuser got it pretty much correct.

    1. Install the drive in an external enclosure, either USB or eSata (if it is a sata drive).
    2. Plug into computer and turn on.
    3. Generate md5sum or preferably sha512sum (takes longer, but more bits == better hash) of the disc. Assuming device is recognized by system as /dev/sdx: sha512sum /dev/sdx >original-disc.sha512sum
    4. Plug disc to hold clone (must be identical to original disc) into system. Note that if you are going to use another disc that is not an EXACT match, you will be better off to create a bit-image file of the original disc instead of a hardware clone copy. That way, you can use any suitably sized disc to hold the image.
    5. Do a bit copy of the original disc (you haven't mounted anything, and won't - be careful of that!), to either the clone hardware, or to a file on the target disc: dd if=/dev/sdx of=/dev/sdy or dd if=/dev/sdx of=filename. When you are done, run the md5sum/sha512sum on the target disc or file. It should agree with the original. If not, the copy was not exact.

    I have done this numerous times, normally to a bit-image file, and it has always been successful. It does take time for big discs (I've made images of discs that are up to 1.5TB in size).
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •