Skip to content

๐Ÿ“Œ General Introduction

In the field of digital forensics, maintaining the integrity of evidence is the foundation of any successful case.\ After creating a forensic image of a device or disk, we never work directly on the original copy. Instead, we analyze an identical clone.\ To ensure that this copy hasnโ€™t been tampered with, we use what is known as a Hash.

๐Ÿงฉ What is a Hash?

A Hash is a unique digital fingerprint generated for any file.\ If the file is changed by even a single bit, the hash will change entirely.

โ›“๏ธ In Digital Forensics

The hash serves as proof that the file has not been modified.\ It is documented as part of whatโ€™s called the Chain of Custody.

๐ŸŽฏ Phases of Working with Digital Evidence

Phase Description
1๏ธโƒฃ Acquisition Bit-by-bit extraction of a digital image from the original device.
2๏ธโƒฃ Preservation Keeping the original copy untouched.
3๏ธโƒฃ Hashing Verifying that the clone matches the original using hash values.
4๏ธโƒฃ Analysis Performed only on the cloned copy, never the original.
5๏ธโƒฃ Reporting Everything is documentedโ€”especially the hashโ€”in a formal report.

๐Ÿ” Why Do We Use Hashing?

  • To ensure that the clone is an exact copy of the original.

  • To detect any modifications, even minor ones.

  • To prove the authenticity of evidence in court.

โš™๏ธ Common Hashing Algorithms

Algorithm Security Level Recommendation
โœ… SHA-256 Very Secure Recommended
โœ… SHA-2 Secure Acceptable
โš ๏ธ SHA-1 Medium Security Not preferred
โš ๏ธ MD5 Weak Not secure

โ— MD5 and SHA-1 are vulnerable to hash collisions, meaning two different files may produce the same hash value.

โš–๏ธ Collisions and Their Risks in Court

  • In rare cases, two different files may generate the same hash.

  • This could be used in court to challenge the credibility of digital evidence.

  • Therefore, itโ€™s best to use strong algorithms like SHA-256.

๐Ÿงช Hands-On Lab

๐Ÿงฎ Lab Objectives

  • Generate a hash value for a given file on both Windows and Linux.

  • Verify that the resulting hashes are identical on both systems.

1- Part 1: Generating a Hash on Windows

โ— Note:\ Windows does not come with a built-in hashing tool, so weโ€™ll use a third-party app like HashCalc.

โœ… Steps:

  1. Search for HashCalc online.

  2. Download and install the tool.

  3. Open the application and select:

  4. Input Type: File

  • File: Choose your file (e.g., evidence.img)

  • Hash Type: Select SHA-256 only

  • Click Calculate

  • The hash value will be displayed.

โœจ Document the hash securely (in a report, log, or digital backup).

๐Ÿง Part 2: Generating a Hash on Linux

โœ… Built-in Tools:

sansforensics@as: ~/DF/Images
$ md5sum First\ Image.001
53d3193fc1596f91f9fb6486d73986fa  First Image.001

sansforensics@as: ~/DF/Images
$ sha1sum First\ Image.001
48a371c5054005ad8edf41272db2171d2743967c  First Image.001

sansforensics@as: ~/DF/Images
$ sha256sum First\ Image.001
a9adc88a012a2de92c886de95b379b29e2ff2c6cb8ffc6af4ddea088b3193f8a  First Image.001

sansforensics@as: ~/DF/Images
$ sha512sum First\ Image.001
0c99fcd51225448ec9948e749104a12c4ae68ef133a978049ec451bd09571d612103f9a469e45f737a81e35535acf31f48d7fcfadec7431f860f81127ee50d6a  First Image.001

๐Ÿ“ Steps:

  1. Open the Terminal.

  2. Navigate to the directory where the file is located:

cd /path/to/image/
  1. Generate the SHA-256 hash:
sha256sum filename.img
  • A long hash value will be displayed.

โ— If the hash matches the Windows-generated value, this proves the file has not been tampered with.