Creating a reference drive

This page describes a procedure for creating a hard drive (or other storage device) with an independently known hash. The process of creating the drive uses a csh shell script to exercises several components of the computer and can also serve as one component of a demonstration that a computer is in working order. The script generates a byte stream that is written to the drive and computes both an MD5 and a SHA1 for the stream. The script then reads back the data written to the drive earlier and computes again the MD5 and SHA for comparison to the original values. This checks both the computer and the storage device. Since the reference drive has independently known hash values the device can now be used to verify that an imaging tool can make a complete and accurate image of the device.

If you use this procedure please bear in mind that all information on the hard drive before running cal-drive.csh is overwritten and lost.

Download or obtain a Linux boot CD. The script runs in the Linux environment. The CFTT Federated Testing CD works fine.
Download the csh script cal-drive.csh. This is a new version as of March 17, 2016.
Copy cal-drive.csh to removable media.
Select a storage device to become the reference drive. Please be sure that the drive contains no data, since everything on the drive will be lost.
Determine the size of the drive in sectors.
Select a computer.
Prepare the computer to boot: set the BIOS boot order to CD first, insert CD and attach storage device.
Boot the computer.
If the Linux CD does not boot, diagnose the problem and repeat until linux boots.
After a Linux environment is established, determine the device name of the reference drive. If it is a USB, Firewire or SCSI it will likely be one of sda, sdb, etc.
Mount the removable media that contains cal-drive.csh.
Copy cal-drive.csh to the /tmp directory and make the script executable:

cp /media/your-drive/cal-drive.csh /tmp/cal-drive.csh
chmod +x /tmp/cal-drive.csh

Execute the script to create the reference drive. If the device name of the reference drive is /dev/sda then the command is: cal-drive.csh sda
This may take some time to finish.

After the script is finished the log file cal-log.txt should be examined to verify that the expected hashes computed independently of the storage device match the hashes computed from the data read from the storage device.

Example

We used a 32MB Fujifilm USB drive for this example. We got the following log file from cal-drive.csh.

Calibrate Drive log file (cal-log.txt)
Sat Jan 8 12:53:14 EST 2005
Using drive: sda
Attached scsi removable disk sda at scsi1, channel 0, id 0, lun 0
SCSI device sda: 63424 512-byte hdwr sectors (32 MB)
sda: Write Protect is off
sda: unknown partition table
/dev/sda has 63424 sectors
The answer to continue? yes or no is yes
MD5 should be: 34C6BC0094587795C90B21B3B0BD7761 -
MD5 on drive is: 34C6BC0094587795C90B21B3B0BD7761 -
SHA1 should be: F443462D84F81F5D2533749F45D56123F814B96D -
SHA1 on drive is: F443462D84F81F5D2533749F45D56123F814B96D -

Since both sets of hashes match we know that reading and writing to the device worked correctly. We now tried to acquire the drive with both EnCase and the IXimager. We checked the validity of the acquisitions by comparing the hash value reported by the imaging tool with the known hash. As can be seen below, for both tools we obtained the expected value for the hash.

EnCase Report File

Name:    Thumb
Description:    Physical Disk, 63424 Sectors, 31MB
Logical Size:
Physical Size:    512
Starting Extent:    0S0
File Extents:    1
Physical Location:
Evidence File:    Thumb
Full Path:    Calibration-thumb\Thumb
File Extents
Start Sector    Sectors    Start Cluster    Clusters
    1

Device
Evidence Number:    Thumb
File Path:    C:\Documents and Settings\Dr. James R. Lyle\My Documents\EnCase Cases\calibration.E01
Examiner Name:    JRL
Actual Date:    01/08/05 01:37:09PM
Target Date:    01/08/05 01:37:09PM
Total Size:    32,473,088 bytes (31MB)
Total Sectors:    63,424
File Integrity:    Completely Verified, 0 Errors
EnCase Version:    4.19a
System Version:    Windows 2000
Acquisition Hash:    34C6BC0094587795C90B21B3B0BD7761
Verify Hash:    34C6BC0094587795C90B21B3B0BD7761

Cannot read the partition table

IXimager Log File

Jan 8 12:19:39 syslogd started: BusyBox v1.00-rc2 (2004.08.16-07:20+0000)
Jan 8 12:19:39 init: ^MStarting pid 44, console /dev/null: '/sbin/klogd'
Jan 8 12:19:39 kernel: klogd started: BusyBox v1.00-rc2 (2004.08.16-07:20+0000)
Jan 8 12:19:39 kernel: Linux version 2.4.27-erik (andersen@dillweed) (gcc version 3.3.4) #1 Sat Aug 14 11:10:10 MDT 2004

... a lot of omitted stuff ...

... IXimager found the device ...
Jan 8 12:20:06 kernel: Initializing USB Mass Storage driver...
Jan 8 12:20:06 kernel: usb.c: registered new driver usb-storage
Jan 8 12:20:06 kernel: scsi2 : SCSI emulation for USB Mass Storage devices
Jan 8 12:20:06 kernel:   Vendor: Fujifilm Model: USB Drive         Rev: 4.50
Jan 8 12:20:06 kernel:   Type:   Direct-Access                      ANSI SCSI revision: 02
Jan 8 12:20:06 kernel: Attached scsi removable disk sda at scsi2, channel 0, id 0, lun 0
Jan 8 12:20:06 kernel: SCSI device sda: 63424 512-byte hdwr sectors (32 MB)
Jan 8 12:20:06 kernel: sda: Write Protect is off
Jan 8 12:20:06 kernel: unknown partition table

... more stuff omitted ...

... and the SHA matches

Jan 8 12:20:34 iimager: Beginning Verify operation for 32473088 bytes
Jan 8 12:21:24 iimager: Verify Complete
Jan 8 12:21:24 iimager: Verify was completed successfully.
Jan 8 12:21:24 iimager:
Jan 8 12:21:24 iimager: Read           : 32.47 MB (32473088 bytes)
Jan 8 12:21:24 iimager: Written        : 0.000 MB (0 bytes)
Jan 8 12:21:24 iimager: Total Processed: 32.47 MB (32473088 bytes)
Jan 8 12:21:24 iimager: Verify Speed   : 649.5 kB/sec
Jan 8 12:21:24 iimager: Elapsed Time   : 0h 0m 50s
Jan 8 12:21:24 iimager: Bad Sectors    : 0
Jan 8 12:21:24 iimager: SHA-1 Value    : f443462d84f81f5d2533749f45d56123f814b96d
Jan 8 12:21:24 iimager:                : for 32473088 bytes