MD5 hash question - full hard drive

Discussion in 'Acronis True Image Product Line' started by Packrat1947, Jul 23, 2008.

Thread Status:
Not open for further replies.
  1. Packrat1947

    Packrat1947 Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    7
    Hi Guys,

    Just recently I cloned my friend’s new HP Vista laptop. True Image 10 hung up at 5 seconds to go, I was forced to kill the computer. This was the bootable CD version of TI. Long story short, the source drive was now unbootable, however the target clone did boot.

    So somehow TI 10 actually wrote to the source drive. I had to use a Vista disk, and allow it to fix the partition table. I really have no confidence in TI now.

    Does anyone know of a MD5 hasher that will work on hashing a complete drive or partition. All the hashers that I’m seeing only do individual files, or at most a folder. I’m looking for total HD hash.

    Anyone have any ideas here?

    Packrat1947
     
  2. shieber

    shieber Registered Member

    Joined:
    Oct 27, 2004
    Posts:
    3,710
    I don't know how it would be possible to clone a drive to itself. Are you sure you cloned rather backued up.

    It's possible you had a failed cloine and had the option selected to erase the source drive--but I doubt it.
     
  3. Packrat1947

    Packrat1947 Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    7
    It was definitely a clone - and it was done in the correct direction. This is twice in the last year, that this has happened. What I want to do is to "catch it in the act".

    It looks like WinHex has full drive hashing capabilities. So maybe I'll explore that.

    For the time being, I'll be going back to Ghost 2003 and version 11 Corporate for work on customer's computers.

    If one has XP SP2 there is a small .reg file that is floating around the turns off writing to USB. Then it can be turned back on. I'm going to try that method too. It is called WriteProtectOn.reg - or something very similar. People rename it for their own convenience. I know this works on flash drives, but don't know if Acronis will gag for some reason.

    All this is very embarrassing for me too. I’m always telling my friends to do file level backups, and also full disk type. So I perform this and nearly have an unbootable computer. Lots of egg on my face here – and confidence shaken to the core. We HAVE to find something else. There is no excuse for writing to the source drive. I should look into a hardware write blocker too; but these are very expensive.

    That's all for now.
    Packrat1947
     
  4. shieber

    shieber Registered Member

    Joined:
    Oct 27, 2004
    Posts:
    3,710
    So you're saying this happens with full backup s and file-by-file backup as well as cloning?
     
  5. DwnNdrty

    DwnNdrty Registered Member

    Joined:
    Mar 28, 2007
    Posts:
    3,335
    Location:
    Florida - USA
    Whenever True Image has to be aborted, for whatever reason, there are always unpleasant surprises. You're lucky the target drive was in fact cloned and booted. Next time try the reverse clone where you put the target drive in the laptop and the original drive in the external enclosure. Or try making a Backup of the original then use Recover to restore the backup Image to the target drive. I know, it's one step extra, but it may avoid having egg on your face.
     
  6. Packrat1947

    Packrat1947 Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    7
    Right now I have ver. 11 up. This is the installed version and not the bootable Cd. Go up to the Tools menu, and you'll see Clone Disk.

    We use this when we want to go from a small HD to a larger one. Normally we can use the manufactures software to do this. Very reliable too.

    But Acronis should be able to do this too. It is not rocket science. I think that Seagate is using a version of TI too.

    That's all for now.
    Packrat1947
     
  7. MrMorse

    MrMorse Registered Member

    Joined:
    Jun 12, 2008
    Posts:
    737
    Location:
    Germany
    Right, that is the task of a cloning tool.

    But you have to consider what 'cloning' is:
    A device1 must be copied to device2. In this case 'Copy' means that all clusters, all sectors, all tracks and all bytes are identically on both devices.
    (I talk about cloning without changing the partition sizes)

    Cloning happens in one PC with at least two devices.
    When cloning is finished the PC must be bootable. The image software has to decide from what device the PC will boot.
    And here the software (Ti) decides that it is the new larger device (=device2).

    And then the device1 will be marked as non-active or hidden, etc.
    In other words: Ti writes something to the source device.

    Do you know the old "DriveImage" from PowerQuest? Here was the same but you could choose what device will be bootable after cloning. The other device was marked as 'hidden'.

    I'm not wondering about this behavior of TrueImage.
    That is also the reason to have Acronis DiskDirector. With DD you can change the device attributes so that device1 will be the bootable one.
     
  8. shieber

    shieber Registered Member

    Joined:
    Oct 27, 2004
    Posts:
    3,710
  9. Packrat1947

    Packrat1947 Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    7
    Hi Gents,

    I mainly do malware removal from customer’s computers. Things can go downhill in a hurry when we are messing with deeply imbedded malware. So most of the time, when I see a heavily infected box, I first “clone” to one of my drives. I either do it via USB or internally. I then make sure that the computer will boot off of each one - in the normal SATA or IDE positions. Only then will I start to work on MY drive. When I’m happy with the computer, I then clone back to the customers drive. I want to do all the heavy lifting on my drive, and to have a good fallback position in case things spiral out of control.

    I do realize that clone means different things in different programs. I’m pretty sure that Acronis does not copy the swap file, or other useless data (for our purposes).

    Now in the forensic field a clone means capturing the slack area, deleted files, etc.

    When I successfully clone, both source and target drives do bootup. So I’m thinking that the archive bit is not turned off.

    I use Ghost, Acronis, and sometimes Paragon. Acronis wants to give up when it detects the slightest file error. This is not good. In Ghost we can activate a switch to ignore errors and carry on. This is good. Paragon will do as Ghost does. Small minor concerns in some long lost corner, are of no concern. We think of HDs as a large library. All librarys have faults somewhere. Loose shelves, leaking faucets, etc. As long as they don’t bother us, they are of no concern. And yes, I know of chkdsk c: /f .

    I’ve also seen on forums where someone hears about someone using chkdsk, and out of curiosity runs it on a perfectly good computer. Now the computer will not boot. Ouch.

    Well, that’s all for now. Working on a older infected Dell. It has to go back tomorrow, so no time for the niceties of cloning. I don’t like it this way.

    Packrat1947
     
Thread Status:
Not open for further replies.