246 | Page
Ch a p t e r 2 1 - H a s h S e t s
Copyright GetData Forensics Pty Ltd 2010 - 2015, All rights reserved.
A hash value is the numeric result of a mathematical calculation to uniquely identify a
file or stream of data. A hash is often referred to as a ͞digital fingerprint͟, as a strong
hash algorithm essentially rules out different data from having the same hash value.
MD5 (Message-Digest algorithm 5) is a publicly available and widely used
cryptographic algorithm designed in 1991 by RSA (Ron Rivest, Adi Shamir and Len
Alderman). MD5 is the most well-known hash algorithm in computer forensics largely
through its implementation by Guidance Software in its EnCase® .E01 forensic
acquisition file format:
͞The MD5 algorithm uses a 128-bit value. This raises the possibility of two
files having the same value to one in 3.40282 × 1038͟. (EnCase Forensic
Version 6.10 User Manual. s.l. : Guidance Software, 2008 (15 p. 12)).
In 1996 cryptanalytic research identified a weakness in the MD5 algorithm. In 2008 the
United States Computer Emergency Readiness Team (USCERT) released vulnerability
Note VU#836068 stating that the MD5 hash:
͞…should be considered cryptographically broken and unsuitable for further
SHA-2 is expected to become the new hash verification standard in computer
forensics. SHA-2 is a set of cryptographic hash functions (SHA-224, SHA-256, SHA-384,
and SHA-512) designed by the National Security Agency (NSA), and published by the
USA National Institute of Standards and Technology.
In computer forensics, an ͞acquisition hash͟ is calculated by forensic imaging software
during the acquisition of a physical or logical device. It represents the digital
fingerprint at the time the image was taken. It is recommended, in line with accepted
best forensic practice, that an acquisition hash is always included when acquiring data
of potential evidentiary value.
In EnCase® .E01 and Ex01 image file formats, the acquisition hash is written into the
image header. In other formats, such as with a DD image, a hash value is usually
written into an associated text file.
To display an acquisition hash in Forensic Explorer:
In the Evidence module, create or open a case;
In the Evidence module, in the Evidence tab, click on the image file to display
the file properties, including the Acquisition hash value, as shown in Figure
193, Acquisition and Verification hashes.