Hashing Data Sets
GIAC Certified Forensic Examiner Objective:
Fundamental Digital Forensics
- The candidate will demonstrate an understanding of forensic methodology, key forensic concepts, identifying types of evidence on current Windows operating systems and be familiar with the structure and composition of modern Windows file systems.
Overview
In this lab, you will be learning how to image disks, hash the image, and verify the hash. Digital forensic specialists image disks before they start an investigation. They also record the hashes so they are able to prove in a court of law that the image has not been tampered with.
OUTCOMES:
In this lab, you will learn to:
- Image and Hash a Disk and Verifying the Hashes of the Image
- Use Kali to Hash Images, Disks, and Partitions
- Use HashCalc to Verify Hashes
Key terms and descriptions
EnCase Imager
EnCase Imager is a GUI program that will allow a user to create a disk image from within Windows. You can run into complications imaging a disk while on Windows because certain files are locked by the OS. EnCase Imager is a free product.
HashCalc
A free program from http://www.slavasoft.com/hashcalc/ that allows you to calculate the MD5, SHA-256, SHA-384, SHA-512, and other hash values of data sets.
MD5
Message Digest 5 is a 128-bit hashing algorithm that aids forensic examiners by “proving” that the copy of the media they are working on is “equivalent” to the original. Other hashes, like SHA-1, which is 160 bits, are more accurate than the 128-bit MD5.
SHA1
Secure Hash Algorithm is a 160-bit hashing algorithm that aids forensic examiners by “proving” that the copy of the media they are working on is “equivalent” to the original. There are also 256-, 384-, and 512-bit versions of SHA that are more accurate.
Kali
Kali is a free Ubuntu Linux-based Live DVD. Kali is used for forensics and penetration testing. Both the 32-bit and 64-bit versions of Kali are available for download free at the following link: https://www.kali.org/downloads/