Notifications
Clear all

Hash verification

6 Posts
3 Users
0 Likes
10.5 K Views
(@ileile)
Posts: 7
Active Member
Topic starter
 

Hello everybody,

I have one question for hash verification process when E01 image is created. When i connect the orginal medium to write blocker and start the imaging process (with FTK imager, or EnCase) did the software first compute hash values for the orginal medium and after the image is created compute the hash values for that image and compare it?

Example I start imaging process with FTK Imager. First the software compute hash values for the orginal medium, then compute the aqusition hash value and in the end it compute the verification hash value. When the process is completed, FTK imager give 3 hash vales (Computed hash, Stored Verification hash, Report Hash). What these three mean? Did „Report Hash“ is computed hash value from the orginal medium?

And can anyody explain how imaging process on EnCase works?

Thank you,

 
Posted : 28/03/2016 3:55 pm
kacos
(@kacos)
Posts: 93
Trusted Member
 

The E01 file includes CRC checks for the integrity of the data acquired and the acquisition hash (md5 and/or sha1) at the end of the file (this is the hash of the acquired data). This hash is usually checked/verified when opening the E01 file in order to make sure that the image file is unaltered or corrupt.

FTK imager computes the acquisition hash of the imaged data (acquisition hash) when the acquisition is finished - if the format is E01 this hash is stored at the end of the file, otherwise you can find it in the txt file saved at the same location as the image file. After the image file is saved, it computes/checks the hash of the source medium (stored hash). If they match, it informs you that the acquisition is successful.

 
Posted : 28/03/2016 4:45 pm
(@ileile)
Posts: 7
Active Member
Topic starter
 

Just to be clear, I would like you to confirm me that the stored report hash from the Drive/Image Verify Results window, is hash of the source drive - original drive, if not where I can find stored hash (hash of the source medium).

In the report we can find

MD5 Hash

Computed hash 8d594…
Stored verification hash 8d594…
Report hash 8d594…
Verify result Match

 
Posted : 28/03/2016 5:37 pm
kacos
(@kacos)
Posts: 93
Trusted Member
 

Just to be clear, I would like you to confirm me that the stored report hash from the Drive/Image Verify Results window, is hash of the source drive - original drive, if not where I can find stored hash (hash of the source medium).

Yes it is (see pages 36 and 37 of FTK imager's help)

In the Image Summary Window (or the .txt file stored at the same location with your image file), the Computed Hashes are of the physical Evidentiary Item (Source).

 
Posted : 28/03/2016 5:41 pm
kacos
(@kacos)
Posts: 93
Trusted Member
 

ok, I can see where FTK can become confusing (got me confused as well).
So to clear this up

Stored hash is the acquisition hash (hash of the data in the .dd .ad1 .e01 etc image file)
Computed Hash the hash of the original data in the source medium (hard disk etc).

 
Posted : 28/03/2016 6:54 pm
(@mansiu)
Posts: 83
Trusted Member
 

ok, I can see where FTK can become confusing (got me confused as well).
So to clear this up

Stored hash is the acquisition hash (hash of the data in the .dd .ad1 .e01 etc image file)
Computed Hash the hash of the original data in the source medium (hard disk etc).

computed hash is called verification hash in encase, it is the hash value calculated from the data inside the E01.

 
Posted : 29/03/2016 1:04 pm
Share: