Posted: Sat Jan 29, 2011 3:37 am Post subject: Hash, hash, and re-hash
I would like to get some opinions on this. I was taught through a course called BDRA, Basic Data Recovery and Analysis, on how to image a drive to be examined as evidence. This is how I understood it:
I hash the evidence drive in order to get it's "digital finger print".
I then aquire the drive using a forensic tool, like EnCase, FTK, or iLook which computes a hash during this process.
I then re-hash the original evidence drive.
All three hash values (MD5 and SHA-1) should match. This tells me that the imaged data is a forensic copy of the original data and the final hash confirms that nothing changed on on the origianl drive during this process.
It make sence to me to do this, but I am being mentored by an examiner who has 10 years expereince and he has told me that by simply aquiring my image (in EnCase) that this is all done then. Meaning that during the image process EnCase hashes the original evidence drive and then verifies this hash once done.
I understood that encase does compute a hash during the image process, but on the image it is creating, which leads me back to my training in which I must have a hash value of the original evidence to compare with in order to say nothing was changed.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum