things i should not forget, and that, eventually, could interest people

Posts Tagged ‘digital forensics

How to calculate the hash of a CD or DVD on Mac OS X

leave a comment »

The daily work of the forensic investigator requires precision and a deep control of the technical tools involved. For example, is well known that the smallest, tiny, tamper of a bit when calculating the hash of a digital file makes the result to change completely. This could be critical when initiating a chain of custody of digital evidences, so i always use linux when possible due to the absolute control of everything needed in the process.

The problem appears when an adquisition has to be done at your customer’s offices, and when digital evidences must be burned on CD and hashed  in front of your customer, the lawyer, the notary, the guy you are going to investigate …   on your shiny Mac. Here are the steps that i use on these special occasions:

  • first, on the desktop, and create a Burn Folder right-clicking and selecting Burn Folder from the emergent menu
  • i drag and drop on it all the files that will be included as electronic evidences on this chain of custody
  • a double-click on the folder opens it. A button named Burn appearson the upper-right corner, so you can press it after introducing a blank CD or DVD

Now, the interesting stuff:  you need to calculate the hash and probably to burn identical copies with an identical cryptographic hash.

  • introduce the CD or DVD and, on a terminal, write down the command  diskutil list that will provide  a list of devices used by your CD

$ diskutil list/dev/disk2

#:                       TYPE NAME                    SIZE       IDENTIFIER
0:        CD_partition_scheme                        *6.8 Mi     disk2
1:     Apple_partition_scheme                         6.0 Mi     disk2s1
2:        Apple_partition_map                         31.5 Ki    disk2s1s1
3:                  Apple_HFS Carpeta de grabación   4.9 Mi     disk2s1s2

  • install a hash command line tool. I use sha256deep included in the Mac Port md5deep (sudo port install md5deep)
  • you must hash the Apple_partition_scheme associated raw device.  In this example, the associated raw device will be /dev/rdisk2s1  . Be careful in using  rdisk, not disk, because the second requires you to unmount the CD:

$ sha256deep /dev/rdisk2s1

108143e8b1460cc2e8983bcc06cf792ea9837174c203c8cd4ab50ee87c9c5d9d  /dev/rdisk2s1

Making copies of the CD:

  • For some reason i don’t know, a dd command won’t work, so i use cat:

$ cat /dev/rdisk2s1 > image.cdr

  • check the hash:

$ sha256deep image.cdr

108143e8b1460cc2e8983bcc06cf792ea9837174c203c8cd4ab50ee87c9c5d9d  image.cdr

  • and burn the image so many times you need it with Toaster or Disk Utility


  • this method will also work  with monosession CD recorded elsewhere. In those cases, diskutil should not show the Apple partition scheme but the data directly after the CD scheme:

#:                       TYPE NAME                    SIZE       IDENTIFIER
0:        CD_partition_scheme                        *785.4 Mi   disk2
1:              CD_ROM_Mode_1 wifislax-3.1            683.9 Mi   disk2s0


Written by dervitx

11 May 2009 at 21:23