Forensics
Re: Not constant sha1sum Sep 17 2007 11:18AM
Paul Vidonne (vidonne vidonne fr)
Hello All,

Thanks for all your good advices. The issue is probably a bad hardware.

File are stored on a EXT3 partition on a server running Linux Fedora.
When I compute with Linux (through ssh, then with server resources)
I have a bad result.
When I compute these same files situated on the same server with Windows
(through Samba, then with desktop resources) I have a good result.

As a conclusion I would say "Never trust one hash only. Forensic good
practice require two equal hash coming from two different ways"

At 10:33 08/09/07 +0200, LERTI - Paul Vidonne wrote:
>Hello all !
>
>Does smb met the following issue : several hash for an
>unique file ? Of course a big one (4 GB). OS is Linux
>Fedora. File system EXT3 mounted on a SATA RAID-5 on Adaptec
>card
>
>Could you enlighten me ?
>
>Exemple :
>[root@spica acquisit]# sha1sum -b 07667-SDH-dd.001
>fe8195547af6d7ce76cd2e44160e06310a964063 *07667-SDH-dd.001
>
>[root@spica acquisit]# sha1sum -b 07667-SDH-dd.001
>e8dde55722ed1f2424fd7bb6246163120c561927 *07667-SDH-dd.001
>
>[root@spica acquisit]# sha1sum -b 07667-SDH-dd.001
>65f5eb98d33f7ccb1a8a82b0e6d916921c9d97b9 *07667-SDH-dd.001
>
>The best is that the second hash is the good one !
>
>Truly yours,
>
>Paul Vidonne
>--
>LERTI - Laboratoire d'Expertise et de
> Recherche de Traces Informatiques
>http://www.lerti.fr +33.4 76 90 54 21

--
Paul Vidonne Consultant
16, chemin de Malacher
38240 Meylan
Tel : +33 4 76 90 65 97
http://www.vidonne.fr

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus