why does ewfverify indicates failure but MD5 matches?

[brunodgarcia]

I have changed a few bytes of an E01 file in order to test ewfverify. The change was correctly detected, but the program shows the same md5 hash for stored and calculated fields.

The project was built on Windows using Cygwin64.

ewfverify 20240506

Verify started at: Jun 12, 2024 16:59:02
This could take a while.

Verify completed at: Jun 12, 2024 16:59:02

Read: 29 MiB (31129600 bytes) in 0 second(s)

MD5 hash stored in file:                750b509d8fbed37a5213480aaccfdc61
MD5 hash calculated over data:          750b509d8fbed37a5213480aaccfdc61

ewfverify: FAILURE

[joachimmetz]

@brunodgarcia where did you change the bytes? EWF is a container format there might be other reasons for the verification to fail

[brunodgarcia]

@brunodgarcia where did you change the bytes? EWF is a container format there might be other reasons for the verification to fail

I just changed a few random bytes in file and now I understand I probably didn't corrupt the volume data as expected. FTK indicates the file no longert contains a valid evidence.

The hash values worked as expected when I changed bytes right in the middle of the file.

I made the incorrect assumption that failure simply meant a mismatch in the hashes.

I apologize for raising the issue, and I appreciate your attention to this matter. Thanks!

[joachimmetz]

What is known about the format is documented here https://github.com/libyal/libewf/blob/main/documentation/Expert%20Witness%20Compression%20Format%20(EWF).asciidoc it contains various checksums and edge cases.

closing this issue given the question appears to have been answered