Hi, im having an issue getting the correct sha1 hash for question 1 of the Acquired Taste lab.
I have mounted the drive using the command:
sudo mount /dev/nvme3n1p1 /evidence_storage
and created an image with the hash using:
sudo dc3dd if=/dev/nvme1n1 of=/evidence_storage/nvme1n1.img hash=sha1 log=/evidence_storage/dc3dd.log
It says the last 4 chars are incorrect. I also can’t use sha1sum to verify either since its not available in the lab. Not sure what im doing wrong?
Thanks,
Some questions on this one came up a few weeks ago. Let me know if this helps - Acquired Taste Lab - #3 by FormUser3K
Yeah thanks, i read that post before creating this one, (didn’t want to hijack it!), it looks as though this user is having the same problem, however i can’t see anything glaringly obvious to check other than what I have already, i seem to be mounting the right drive in the correct location and as far as i can tell, i’m creating the right image? Maybe something is off with command im using, im not entirely sure.
Okay, there’s something new and weird going on here - we seem to be getting different hash values for the same drive image from lab session to lab session. It likely has something to do with some underlying AWS behavior. We’re looking into this.
This is fixed! Thank you for flagging.
Fantastic, thanks so much for that (nice to know it wasn’t me making a mistake this time 
)
Could you check this issue is also not affecting question 3?
I have created this twice and still get the same hash, with the last 4 values as 4350, however it’s not classing it as the correct value.
Thanks!
I just tested this and got the correct answer (begins with 1).
Are you using FTK Imager to add the target folder as an evidence item using the Contents of a Folder option, then exporting the logical image of the target folder? Basically following the same steps as Part 3 of the Evidence Acquisition lab’s Guided Exercise.
This worked thank you! I was using the create disk image option, then choosing contents of a folder. Appreciate your help 