In an investigation, everything you have done must be able to be replicated by
another person, and this is done via hashing.Hashing refers to the use of hash functions to verify that an image is identical to the source media. It is like a digital fingerprint for a file. It is mathematically derived from the contents of the item being hashed and is displayed in a set of numbers and letters. The length of the hash depends on the type of hash used.
It is incredibly unlikely that two image files with different contents would ever generate the same hash. There are several algorithms that are commonly used, such as MD5 (Message Digest 5), SHA1 (Secure Hash Algorithm), SHA256, and others. MD5 is a 128 bit 32 character algorithm and is the most commonly used hashing algorithm. There are other algorithms available for encryption; however, forensics primarily focuses on MD5, SHA1, and SHA256. It is used in many other areas of digital study such as download confirmation and encryption. While altering anything within the contents of the disk image will alter the hash value (like adding or removing a single character in a document or changing one pixel in an image), changing the name or extension of the image will not alter the hash value. It is pivotal in the scope of forensics investigations, as the hash verifies the integrity of the disk image. Anyone at any time during or after the investigation should be able to rehash the disk image and replicate the exact same hash value that was given the first time the disk image was ever hashed.
Importance of evidence hashing
- It is pivotal to note that when conducting an investigation, every piece of evidence found on the disk image must be hashed.
- In an investigation, everything you have done must be able to be replicated by
another person and this is done via hashing.
- If you find a zipped file containing photos on the suspect’s disk image, the zipped file and each of the photos must be individually hashed. Think of it this way: anything you look at and anything you present as evidence must be hashed.
- Otherwise, there is no way for the court to verify that you did not alter the evidence in some unknown way.