iTunes Enhanced
Mp3 VersionSun, 9 August 2009  In this episode, the MacDudes talk about iPhone backup files and tools to parse them, imaging iPods, how to extract a dictionary file from swap files over 2GB in size and the Plist of the Week.Comments[4] |
I tried the openssl md5 command mentioned in the podcast, it gave different checksums when I compared the /dev/disk(n) checksum to the dd created dmg.
Once I mounted the disk image & ran the MD5 check against that the two matched. Shouldn't the second check be against the volume not the image?
Once I mounted the disk image & ran the MD5 check against that the two matched. Shouldn't the second check be against the volume not the image?
Hi Drew. Thanks for listening to Inside the Core! Let's make sure you have the MD5 happening to the device and the image. Here is the series of commands I would use if I wanted to image and hash "disk1" on a Mac using DD.
sudo openssl dgst -md5 /dev/disk1 > ~/Desktop/image.md5.txt
dd if=/dev/disk1 of=~/Desktop/image.dd.dmg
sudo openssl dgst -md5 ~/Desktop/image.dd.dmg >> ~/Desktop/image.md5.txt
Those 3 commands will MD5 hash "disk1" and save the results to a text file, DD "disk1" to an image file on my Desktop, and then MD5 the image file and append the results to the text file.
Does that help?
sudo openssl dgst -md5 /dev/disk1 > ~/Desktop/image.md5.txt
dd if=/dev/disk1 of=~/Desktop/image.dd.dmg
sudo openssl dgst -md5 ~/Desktop/image.dd.dmg >> ~/Desktop/image.md5.txt
Those 3 commands will MD5 hash "disk1" and save the results to a text file, DD "disk1" to an image file on my Desktop, and then MD5 the image file and append the results to the text file.
Does that help?
posted by: Ryan Kubasiak on Wed, 10/14 09:29 AM EDT
Hi Ryan,
I re-imaged the disk and hashed it again twice to be sure. I can't seem to get a hash that matches the first disk. I think i mixed up hashes originally.
To be honest I'm more interested in the cloning with dd instead of the verifying with md5 hashes, but it troubles me that the verification is different each time.
These are the results
# original device was disk3
MD5(/dev/disk3)= dd4081372c665c7496c9662267cbcf29
# result of dd if /dev/disk3
MD5(/Users/drew/Desktop/image.dd.dmg)= 8b1dc8c5bdccb480d9c814a3e4ab0d8c
# mounted image device path
MD5(/dev/disk8)= fc9986fe6d70c140061be26d0b664190
# mounted image using Volumes/path
MD5(/Volumes/FIREFLY 1/)= fad9965d689e8f23133283677e35fabd
My original disk is a 4GB USB thumb drive (FAT32), mounted normally in 10.5.8. Any idea why it is never the same ?
I re-imaged the disk and hashed it again twice to be sure. I can't seem to get a hash that matches the first disk. I think i mixed up hashes originally.
To be honest I'm more interested in the cloning with dd instead of the verifying with md5 hashes, but it troubles me that the verification is different each time.
These are the results
# original device was disk3
MD5(/dev/disk3)= dd4081372c665c7496c9662267cbcf29
# result of dd if /dev/disk3
MD5(/Users/drew/Desktop/image.dd.dmg)= 8b1dc8c5bdccb480d9c814a3e4ab0d8c
# mounted image device path
MD5(/dev/disk8)= fc9986fe6d70c140061be26d0b664190
# mounted image using Volumes/path
MD5(/Volumes/FIREFLY 1/)= fad9965d689e8f23133283677e35fabd
My original disk is a 4GB USB thumb drive (FAT32), mounted normally in 10.5.8. Any idea why it is never the same ?
Hi Drew. Thanks for posting the details. Jut to be sure, are you using the "openssl dgst -md5" for hashing? Don't use "md5" as your command. You will get different results. Email us with you steps/commands at (info@macosxforensics.com) so we can figure this out and then we can post the answer here for everyone.
Thanks! Ryan
Thanks! Ryan
posted by: Ryan Kubasiak on Mon, 10/19 01:41 PM EDT
Post your comment:
