PURPOSE OPERATION OPTIONS COMMAND LINES RELATED PROGRAMS
Disk_crc reads the contents of a disk, floppy or hard disk and produces a 32 bit CRC representing the CRC of that disk. This CRC can be used as a reference at a later time to verify or validate that the contents of the disk have or have not been changed. An option (-h) exists to also create the MD5 (128bit) hash of the disk or a (-s) for SHA value. (Note: When reference is made in this document to a CRC, the user can infer that an MD5 or SHA hash value can also be used with the -h or -s option).
Disk_crc can be used for forensic purposes by creating a "reference" CRC of a seized or original disk drive. Then, after doing a backup of the physical disk, run Disk_crc again to generate another "current" CRC to determine if the original disk was altered during the operation or if the copy is an identical copy. If the original/reference CRC and the current CRC of the backup are identical then the copy is a 100% identical copy of the original. If anything has been changed, the CRCs would be different.
In the best application of Disk_crc the user generates a text "receipt" (-r option) which creates a text output file with logging or accounting information in it. It also contains information about the disk, the command line used, and (most importantly) the hash value of the drive. This value can be maintained and kept as a reference for future comparison runs. It is also a requirement if the user implements the disk sectioning options (-b, -e).
Disk_crc can be used to create a reference CRC, and at a later time to create a current CRC. Any difference would indicate different data.
Disk_crc can be used to verify that a “copy” of a floppy disk is an exact copy.
Disk_crc can be used to detect where an alteration has occurred on a hard disk. This signals a possible location of a password or some other significant piece of security information.
Disk_crc, when used with the -r (receipt) option, can be used to create an output file containing the final CRC or MD5/SHA hash of the disk being analyzed. This output file can be delivered to the suspect or included in a report for future reference.
Disk_crc can process entire physical drives. Logical partitions are not supported, but the -b, -e, sectioning options can be used instead. This is a more robust capability, but requires the user to identify exactly the sectors of the disk involved.
Disk_crc can process Linux (ext2) and Macintosh floppy disks.
Disk_crc can also process unusual floppy disks that do not have standard boot sectors. Use the -R (for RAW) operation.
In some instances it can also process IOMEGA’s ZIP disks. (SCSI models)
Use in conjunction with other Maresware programs: When an “image” of a floppy disk is made using Diskimag, the programs Crckit or Hash can subsequently be run to determine the CRC of the imaged file on the hard disk. If Disk_crc is run on the original disk, the final CRC generated by it should match that of Crckit. If they are the same, the user can be sure that the “image” on the hard disk is a copy of the original floppy disk, sector for sector.
NOTE: When attempting to access physical drive 1, if that drive is controlled by a driver (such as a SCSI driver), and not by the BIOS, the Disk_crc program may not work.
NOTE: Disk_crc will NOT work on a hard drive when run within a DOS box under Windows NT or WIN2K. This is because it must gain access to the hardware which NT does not allow. An new version will be out in 2003 that will work from NT. (If doing a CRC of a floppy, Disk_crc will run from any Windows platform.)
Disk_crc reads a disk using EXT INT13, partition information or BIOS information (in that order) and reads from the first to last sectors of the drive. It reads in "blocks" of roughly 126 sectors at a time (depending on geometry). The block size can be changed with the -m option.
When creating a "reference" (-o) output: As it reads the "blocks" it calculates a 32 bit CRC (or hash) for that block of data. This CRC value is then written as a 4 byte binary digit to the output file. This process is repeated until the entire disk is processed. (The output file contains binary information for use solely by the program, which is of no use to the operator. Many operators make the mistake of attempting to view this output file with a text editor which is an incorrect procedure. If you want to view the output file, use a hex editor or viewer.) The last section of the output file contains the ASCII value of the final CRC or HASH. When viewing with a hex editor, go to the end of the output file and it will be apparent where the values are.
CRC’s for smaller amounts of data(ex., a CRC every 2 sectors) are NOT written to the output file for the following reasons: (1)The output for a hard disk is generally assumed to be written to a floppy disk, and there is a limited amount of space on a floppy disk to write 4 byte data records. (2)On a 10 GIG drive the output is approximately 2 meg in size. Clearly this will not fit on a single floppy disk. So, if you are checking a large drive, send the output to a hard disk, zip or jazz which has sufficient space.
Disk_crc’s second operating mode allows it to read as an input reference file (-i option) a previously created Disk_crc output/reference file. Then, as it processes each block of input data from this disk it is comparing against, it compares the current CRC with that found in the current input/reference file. If there is a mismatch between the current CRC calculated and that on the reference file an error message is produced. This will alert the user to a data alteration.
At the time of a data alteration possibility the user can tell Disk_crc to continue or to abort processing. In most cases the initial indication of an error is enough to abort processing. If the user wishes to continue, the program will reset all CRC values and continue. For this reason, if a CRC error occurred, the final indication is that a match is made. However, this is only a match for those sectors after the last user-intervention telling the program to continue. The hash and sha values are never reset. So, if the final hash or sha doesn't match, then you have a record of a mismatch. For this reason, it is suggested that either the -h or -s always be used.
First: Run Disk_crc with the -o option to create a reference file. The program reads blocks of data from the disk and after each read adds a record to the reference file (this is the cumulative CRC to this point.) At the end of the run, the ASCII value is included at the end of this "binary" reference file.
Later: Run Disk_crc with the -i option using the reference file name as input. The current disk which is being tested can either be the original disk or a presumed 100% copy. The program repeats the operation and compares the reference information with the current calculations as it processes the current disk. It stops when a difference occurs.
When the -h (HASH) option is used with the -o (output) option, the MD5 128 bit hash value is calculated for the entire subject disk. The 128 bit MD5 hash value is placed at the end of the output file after the CRC value. The next operation should use the -I (input) option to compare a current disk to a reference file. If the -h option is also used, the MD5 hash of the current disk is compared with the reference MD5 located at the end of the input file. Use of the MD5 hash value is indisputable mathematical proof of no alterations of the disks.
Large Disk access:
Disk_crc can handle large drives that are LBA driven. If a drive is capable of being accessed using LBA support, then this is default operation. LBA support is only available on hard drives. If LBA is used, then the total number of sectors on the drive is used, and the CHS values are ignored. (The -b and -e options are only available with LBA drives.)
The output file created with the -o option is a binary file for internal program use. You are free to look at it with a hex editor, but it will not mean anything. The only part of the file which has value to the user is the last 100 or so characters. The last section of the disk contains ASCII characters which the user can read. You might be able to compare this value with other CRC programs. However, it is not guaranteed that there will be a match, since the total number of sectors taken into account may differ from program to program. For this reason, a "mismatch" of values does not necessary mean an alteration. It may merely mean that the calculations were performed on a different number of sectors, or in a different order. However, a match will mean that both programs are performing identical calculations on the same number of sectors, and therefore, that the disks are identical.
-B Show some Debugging disk information. Provides disk parameters on the screen so the user knows what disk is being analyzed. If you are accessing a MAC hard drive, some of this information regarding partition table and total sectors may not seem accurate. This is because MAC disks don’t have a traditional DOS partition table.
-d + drive_letter to check. For phyical hard drives use 0,1 2, etc. (-d 0, -d 1). For logical drives, only drives A: and B: are currently supported.
-o + output file to place CRC32's of each track. -o and -i are mutually exclusive.
-h Add MD5 hash at end of output file, and if an input (-I) option is used, compare previous MD5 amount. This adds 32 bytes of data to the output file and increases processing time dramatically.
-s Add SHA (Secure Hash) at end of output file, and if an input (-I) option is used, compare previous amount. This adds 40 bytes of data to the output file and increases processing time dramatically.
-i + input file holding original/reference CRCs. Use this during the second pass to verify that no alterations were made to the disk. (Not used with -b and -e options).
-[mM] + # Replace # with a number between 1 and 126. This instructs the program to make the calculations every # sectors. Be certain that if you create a reference file using a value with this option that you use the same value when you compare the reference file with the -i option. If the disk is very large, don't use too small a value or the output reference file will be very big. The only time it is suggested that you use this option is if there appear to be errors in the first few tracks (usually the partition and boot record). You can rerun the reference and then the comparison using a small value of 1 or 2, and this will pinpoint the exact sector that has a problem. (If you use this suggestion, don't let the program run to completion; let it run for about 10000 sectors, and then hit ^C to abort. The output file will be intact).
-n Do not print errors to the screen. Do not stop after each error. (When used with -i option)
-R If you have a diskette the size of which cannot be determined, you can ask the program to process it in “R”aw mode. It tries to determine the physical characteristics of the diskette to continue processing. It is suggested that if you use the -R, you use a -b at least once to determine if things are going correctly. This option is tough on the disk drive and the diskette. Note: this option is case sensitive.
-r + receipt_file_name This option creates a text output file name containing the final CRC, MD5 (-h option), or SHA (-s) of the disk being analyzed. (Hint: if you merely want the final CRC of the disk and don’t want an output file, just use the -r option, and don’t bother using the -o option. This will just give the receipt output file.)
DISK SECTIONING OPTIONS
-b + # Replace # with a beginning sector number to start at. The numbers use a base 1, so the first sector of the disk is sector 1, not sector 0. Take this into account when comparing sectors with other programs. If no -b is used, the first sector of the disk is defaulted.
-e + # Replace # with an ending sector number to stop on. This sector number IS included in the calculation. So if the command line was -b 10 -e 15 there are actually 6 sectors taken in the calculation: 10, 11, 12, 13, 14 ,15. The easiest way to calculate the number of sectors which will be included in the calculation is: (end - begin + 1)
Note: The -b and -e options will only work with LBA drives and will only work with an output -o option. The user MUST create a receipt -r file in order to get the value of the calculation recorded. So, a minimum command line is: -b X -e XX -r receipt.
C:>disk_crc
get help screen
C:>disk_crc -[options] -[doinxs]
C:>disk_crc -d a: -o reference.fle
calculate CRC of drive A:, and write output to reference.fle
C:>disk_crc -d 0 -o reference.fle
calculate CRC of physical drive 0
C:>disk_crc -d A: -o reference.fle -s suspect.rcp
calculate CRC of logical drive a: and create a receipt for the suspect.
C:>disk_crc -d a: -i reference.fle
calculate CRC of drive A:, and compare with data located in reference.fle
C:>disk_crc -d a: -o reference -h
C:>disk_crc -d a: -i reference -h
add and then verify MD5 hash of the disk in drive A:
C:>disk_crc -d 0 -b 1000 -e 1999 -r receipt -h
Calcualate hash of 1000 sectors, (1999 - 1000 + 1) and place information in file receipt.