Helix question




Posts: 6

Joined: Tue Feb 03, 2009 3:03 am

Post Fri Feb 27, 2009 1:51 am

Helix question

I've been busy for awhile now, we're using Helix in my digital forensics class...it's fascinating, to say the least...

I have a bit of an issue though.

We're using VMware to test out acquiring and cloning images of hard drives. The premise is that we mount "suspect" hard drives in Helix in read-only, and then we use Adepto to obtain a .dd image of said hard drive, saving the image to a separate hard drive.

However, whenever I try and use Adepto to restore the image to another hard drive, the restore fails due to the fact that the hash values do not match. A simple restart of the Helix live CD helps this, but I'd like to see if there's any other option before restarting. Has anyone else had this happen to them? I'm thinking it may just be VMware, but I need a second opinion.

Thanks for reading  :)


User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri Feb 27, 2009 8:32 am

Re: Helix question

There could be a number of reasons why hash numbers don't match you attempt to restore the image to another hard drive.  One major reason is bad sectors on drive.  Watch the dmesg output or read the /var/log/messages file to see if the following errors occur:

kernel: hdX: read_intr: error=0x40 { UncorrectableError }, LBAsect=98823, sector=98759

You should also verify your image when you acquire it.  Make sure the hashes match when you acquire the image.

I am not sure if VMWare could be part of the issue, especially if you are imaging a VmWare disk.  Even if you are booting from a Helix CD in VmWare, I am not sure if something else isn't writing to the vmdk files. 

The point is, that there are many things that can go wrong.  Maybe we can help you pin point the issue.  What is the exact configuration you are using?  What drive types and makes, external USB to IDE/SATA connectors, and other devices are you using?  What is your procedure?  What do adepto logs say?

BTW, all of the above should be going into your case log as you are doing an investigation.  Some of the information should go onto an Acquisition Document. 

Return to Forensics

Who is online

Users browsing this forum: No registered users and 0 guests

Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software