Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
· Home
· Content
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: kevinlai78
New Today: 0
New Yesterday: 3
Overall: 29718

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 With the drizzle, a round of crescent
 the sunset kisses the Western Hills
 eSoftTools Excel Password Unlocker
 Ceiling suppliers
 Red Raspberry Extract Wholesale

Computer Forensics World Forums

Pages Served
We received
page views since August 2004

Security Sources

OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Hash, hash, and re-hash
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Hash, hash, and re-hash

Post new topic   Reply to topic    Computer Forensics World Forum Index -> Legal Issues
View previous topic :: View next topic  
Author Message

Joined: Jan 07, 2011
Posts: 6

PostPosted: Sat Jan 29, 2011 3:37 am    Post subject: Hash, hash, and re-hash Reply with quote

I would like to get some opinions on this. I was taught through a course called BDRA, Basic Data Recovery and Analysis, on how to image a drive to be examined as evidence. This is how I understood it:

I hash the evidence drive in order to get it's "digital finger print".
I then aquire the drive using a forensic tool, like EnCase, FTK, or iLook which computes a hash during this process.
I then re-hash the original evidence drive.

All three hash values (MD5 and SHA-1) should match. This tells me that the imaged data is a forensic copy of the original data and the final hash confirms that nothing changed on on the origianl drive during this process.

It make sence to me to do this, but I am being mentored by an examiner who has 10 years expereince and he has told me that by simply aquiring my image (in EnCase) that this is all done then. Meaning that during the image process EnCase hashes the original evidence drive and then verifies this hash once done.

I understood that encase does compute a hash during the image process, but on the image it is creating, which leads me back to my training in which I must have a hash value of the original evidence to compare with in order to say nothing was changed.

Can anyone give me some opinions on this.
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Legal Issues All times are GMT + 10 Hours
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003

Forums ©


TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted (c)2003, and is free under licence agreement. All Rights Are Reserved.