You don't say how you run ROBOCOPY, so you have to answer yourself: do any of the command line options you used affect the forensic cleanness of the original data or the data path? Did it return an exit status indicating an error? data for which you already have authoritative results.)
Have you validated your imaging methodology on the relevant platform? Or do you have the necessary data to do such a validation? (This would basically be a set of files containing hash validation data, i.e. Something changes your source data while you are working, or your data path is not forensically clean, or you are not using your tools in the right way. How would you explain this strange result? >What I now do not understand at all: the hash values are different too. Under what circumstances does the version of ROBOCOPY you are using behave like that? Always? That is, you can repeat the job (or a subset of it) say three times and get exactly the same result each time? Or does something (even insignificant, like a timestamp or a hash value) change between attempts? We strongly assume that this is caused by a known issue of ROBOCOPY (modified >date set to ).ĭon't stop there. >Now we have copied a large amount of data several times (for forensic analysis) and we are >seeing for a few files the same size and content of data but diffent values of the modified >timestamp. You don't say what tools you are using, so we are not in a particularly good position to make suggestions.
However, it is up to you to know how the tools you are using actually compute hashes. Metadata such as the file name, timestamps, permissions, etc. As I understand the hash of a file is the hash of its contents.
0 kommentar(er)
