Forensic Hash Verification
What is Forensic Hash Verification?
Forensic Hash VerificationThe practice of computing and comparing cryptographic hashes (typically MD5 and SHA-256) of forensic images and source media to prove evidence integrity.
Forensic hash verification is the foundational practice of computing cryptographic hashes such as MD5, SHA-1 and SHA-256 over digital evidence and matching them at every step to prove that the evidence has not been altered. During acquisition, hardware and software write-blockers and tools such as FTK Imager, Guymager or 'dd' compute a hash of the source media and of the resulting image; the hashes must match. Re-hashing on the workstation and at each transfer or restoration step is documented in the chain of custody. Standards such as NIST SP 800-86, SWGDE Best Practices and ISO/IEC 27037 require dual hashing (MD5 + SHA-256) because MD5 is no longer collision-resistant. Hash sets like NIST NSRL also help filter known good files.
● Examples
- 01
Recording 'Acquisition MD5 = ...; SHA-256 = ...' on the chain-of-custody form and matching it after each restore.
- 02
Re-hashing an E01 image with 'ewfverify' before starting analysis to prove the image has not been tampered with.
● Frequently asked questions
What is Forensic Hash Verification?
The practice of computing and comparing cryptographic hashes (typically MD5 and SHA-256) of forensic images and source media to prove evidence integrity. It belongs to the Forensics & IR category of cybersecurity.
What does Forensic Hash Verification mean?
The practice of computing and comparing cryptographic hashes (typically MD5 and SHA-256) of forensic images and source media to prove evidence integrity.
How does Forensic Hash Verification work?
Forensic hash verification is the foundational practice of computing cryptographic hashes such as MD5, SHA-1 and SHA-256 over digital evidence and matching them at every step to prove that the evidence has not been altered. During acquisition, hardware and software write-blockers and tools such as FTK Imager, Guymager or 'dd' compute a hash of the source media and of the resulting image; the hashes must match. Re-hashing on the workstation and at each transfer or restoration step is documented in the chain of custody. Standards such as NIST SP 800-86, SWGDE Best Practices and ISO/IEC 27037 require dual hashing (MD5 + SHA-256) because MD5 is no longer collision-resistant. Hash sets like NIST NSRL also help filter known good files.
How do you defend against Forensic Hash Verification?
Defences for Forensic Hash Verification typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Forensic Hash Verification?
Common alternative names include: Evidence hashing, Image hash verification, Forensic hashing.
● Related terms
- forensics-ir№ 162
Chain of Custody
The chronological, documented trail showing every person, location, and action affecting a piece of evidence from seizure through final disposition.
- forensics-ir№ 426
Forensic Imaging
Creating a bit-for-bit copy of a storage medium, verified by cryptographic hashes, for use in forensic analysis and as legally admissible evidence.
- forensics-ir№ 1142
The Sleuth Kit
An open-source library and collection of command-line tools for low-level analysis of disk images and file systems, maintained by Brian Carrier.
- forensics-ir№ 378
EnCase
EnCase is a commercial digital-forensics product family from OpenText (originally Guidance Software) widely used by law-enforcement and corporate investigators since the late 1990s.
- forensics-ir№ 436
FTK
Forensic Toolkit (FTK) is a commercial digital-forensics suite developed by AccessData and now owned by Exterro, used to acquire, index and analyse computer evidence.
- forensics-ir№ 427
Forensic Readiness
An organization's prepared capability to collect, preserve, and analyze digital evidence with minimal disruption when an incident or legal matter arises.