Hello,
I want to clone a hdd to a second hdd to analyze it after.
How to do it and keep the same HASH for legal purpose?
Thanks.
Printable View
Hello,
I want to clone a hdd to a second hdd to analyze it after.
How to do it and keep the same HASH for legal purpose?
Thanks.
Welcome to the forums!
There are a number of good cloning applications for Linux such as Clonezilla, FSArchiver, Ghost4Linux, and PartImage, or you could use the dd command for cloning. As for legalities, you should always consult with a lawyer and few if any of us here are that, but you should be able to use any of the applications above to clone partitions or drives as long as you don't violate any license agreements or someone's privacy.
Hope I understood your question properly.
first thing you need is a hardware write blocker to connect to the suspect drive.
this will prevent accidental writing to the suspect drive
then you would use the dd command from a forensic distro
you will need to make an md5 sum of each drive.
the matching md5 sums are the proof that the evidence wasn't tampered with
as long as the md5 sums are identical then the copy is useable for forensic analysis.
if the sums do not match then it was copied incorrectly
go to the website for the distro you are using for forensics and get the correct command and procedure for drive duplication.
a good thing to do first is use d-ban on the destination drive (the one you are copying to)this will sterilize it for forensic use
gnuuser got it pretty much correct.
1. Install the drive in an external enclosure, either USB or eSata (if it is a sata drive).
2. Plug into computer and turn on.
3. Generate md5sum or preferably sha512sum (takes longer, but more bits == better hash) of the disc. Assuming device is recognized by system as /dev/sdx: sha512sum /dev/sdx >original-disc.sha512sum
4. Plug disc to hold clone (must be identical to original disc) into system. Note that if you are going to use another disc that is not an EXACT match, you will be better off to create a bit-image file of the original disc instead of a hardware clone copy. That way, you can use any suitably sized disc to hold the image.
5. Do a bit copy of the original disc (you haven't mounted anything, and won't - be careful of that!), to either the clone hardware, or to a file on the target disc: dd if=/dev/sdx of=/dev/sdy or dd if=/dev/sdx of=filename. When you are done, run the md5sum/sha512sum on the target disc or file. It should agree with the original. If not, the copy was not exact.
I have done this numerous times, normally to a bit-image file, and it has always been successful. It does take time for big discs (I've made images of discs that are up to 1.5TB in size).