David,
> I'm examining an 80 Gig hard drive. I started with
> Knippix 3.6 and took
> an initial hash with the drive inside the computer
> and md5sum returned:
> a4d83bac721f9e9cbef44a0f19c9f1d3 /dev/hda
So you dropped in your KNOPPIX CD and made certain no
file systems nor swap partitions (if applicable) were
mounted or activated, and then you authenticated the
physical device "/dev/hda" using 'md5sum' (Just want
to make certain.)?
> I installed the drive in another machine (Suse 9.3)
> for examination and
> md5sum returns:
> ae319c49dbfc21fd2f392769083bed58 /dev/hdb
So you then removed the suspect drive and dropped it
into another system and received this hash value above
using your Suse 9.3 installation?
Again, absolutely certain your Suse didn't mount or
activate anything on the suspect drive?
> Using knoppix again, I get:
> a4d83bac721f9e9cbef44a0f19c9f1d3 /dev/hda
>
And then you booted your Suse system with your same
KNOPPIX CD and received the hash above, yes?
Which kernel version for KNOPPIX CD (2.4 or 2.6)?
Which kernel version for your Suse installation?
You've confirmed these three findings by stepping
through the same steps you took at least one more
time?
You're certain you authenticated the correct device
node using your Suse installation?
Let us know, until then we can only speculate. Odd
size drive, authenticated the wrong device node, etc.
regards,
farmerdude
http://www.forensicbootcd.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
|
