Hashing and data imaging are two terms or concepts that are fundamental to digital forensics. The most important rule in digital forensics is to never perform direct examination and analysis on the original digital evidence.
In doing so, the date and time or the file properties such as MAC (Modified, Accessed and Created) will be changed. This will result in the evidence being declared as tampered, since changes have already been made to the original file or storage media. For that matter, it will not be admissible in the court of law as evidence and therefore be rendered useless.
Hashing preserves the integrity of the original device, that is, it assures that the original evidence has not been changed or altered in any way. The process of imaging, on the other hand, provides a way for investigators and forensic experts to not work or carry out any examinations on the original evidence. For that reason, hashing and imaging helps maintain the admissibility of digital
evidences in court.
Hashing is the process of applying a mathematical algorithm to either a string of text or a file or an entire storage media in order to produce an alphanumeric value (combination of alphabets and numbers) known as the hash value, that is unique to that string of text or file or storage media.
The same given input will always produce the same output but any changes, whatsoever, made to that file or storage media, that is, the original evidence, will result in a change in the hash value.
For example, even if you only change the small letter “a” to the capital letter “A”, or enter a single full stop “.”, the hash value generated will be completely different.
Example: Introduction to Information Security
MD5 hash value: d23e 5dd1 fe50 59f5 5e33 ed09 e0eb fd2f
Changing “t” to “T”: Introduction To Information Security
MD5 hash value: 0b92 f23e 8b5b 548a aade bd1b 40fa e2a3
A hash value is a fixed length that represents large amounts of data with a much smaller value that uniquely identifies that data. They are thus useful for authenticating and verifying the integrity of any given data sets (files/folders/ storage media) to be used as evidence in the courts of law across the world.
There are different types of hash algorithms but the most common ones are MD5 (Message Digest), SHA-1 (Secure Hashing Algorithm), SHA-2, etc.
Imaging creates a copy of the digital evidence for conducting investigations and gathering evidence. It is defined as the process of bit-by-bit copying of the contents of any media such as Hard Disk, USB drive or a partition of the OS which does not leave any areas of the disk untouched.
It is also known as sector by-sector bit stream imaging. However, it is not the same as just copying and pasting the contents of a disk to another disk. This is because “copying”, also called logical backup, copies only the active files and directories of the logical volume; and does not capture other data areas from the hard disk such as deleted files or residual data stored in the slack space.
On the other hand, imaging generates a bit for bit copy of the original media including deleted or hidden files, free or unallocated space and slack space. Therefore, the original evidence is preserved by imaging and all the examinations can then be carried out in the image. This will help prevent any accidental alteration or tampering of the original evidence at the time of examination.
Moreover, in case any problem occurs with the image, if required, another image may be created again from the original evidence. Usually, a total of three to four images are recommended for an evidence disk. There are various imaging tools used in forensic laboratories such as FTK Imager, EnCase, etc.
A write blocker is a tool which permits read-only access to data storage devices without compromising the integrity of the data. The original evidence (hard disk) is required to be connected to a write blocker before imaging.
A fresh sterilised destination disk where the original evidence will be imaged to should also be connected to the write blocker. However, care should be taken while choosing the source (original evidence) and destination hard disks in the Forensic Imaging software.
On completion of the imaging process, both the hard disks should be disconnected from the write blocker, labelled and preserved separately onto anti-static bags and stored in a safe location.
Next Post – Types of Cryptography