Dic 31 2009

image, mount, calculate hashes: examples

I wish you all the best for 2010!

I’ve been working in an article related to serving search warrants and I thought the following examples may be useful. They cover imaging, mounting imaged drives and calculating hashes for every file in a drive.

CASE_ID identifies the case, LOCATION_ID identifies the location where the media was seized, MEDIA_ID identifies the media device and PARTITION_ID identifies each partition into the media.


This is an example for dcfldd imaging. The command calculates the MD5 hash on the fly.
See here for options’ reference.

ubuntu@ubuntu:~$ date; sudo dcfldd if=/dev/sdc of=/media/disk/CASE_ID/LOCATION_ID/MEDIA_ID.dd conv=sync,noerror hashwindow=0 hashlog=MEDIA_ID_md5.txt; date

Thu Nov 16 13:18:22 UTC 2009

4883968 blocks (152624Mb) written.
4884090+1 records in
4884091+0 records out

Thu Nov 16 15:26:34 UTC 2009

