A key part of working on a forensic investigation is being able to prove that none of the evidence has been altered. To do this, one thing digital forensic scientists can do is verify hashes. By verifying hashes they are able to prove that the evidence they recovered is the same as the original data as well as determine whether similar data is identical. In this module, you will learn what hashes are, where you can see them, what they can be used for, and, most importantly, how to generate them.

What is a hash?

A hash is a value returned by a hash function, which is an algorithm that turns something of variable size into an output of a fixed size. A simpler way to think of a hash would be as a fingerprint for a piece of data such as a file or image. Just like no two humans have the same fingerprint, no two distinct pieces of data can have the same hash*.

The two most common types of hashes are MD5 and SHA-1.

MD5 stands for Message Digest algorithm 5. This type of hash generates a 128-bit hash value, meaning that the value is expressed as a 32 digit hexadecimal number as shown below:
d41d8cd98f00b204e9800998ecf8427e

SHA-1 stands for  Secure Hash Algorithm 1. This type of hash generates a 160-bit hash value. This means that the value is expressed as a 40 digit hexadecimal number as shown below:
b48cf0140bea12734db05ebcdb012f1d265bed84

*There are some, extreme cases when two different pieces of data can have the same hash. This is called Collision, and is not covered here.

Where do you see them?

When downloading something from the internet, you will often see a random looking line of text near the download. That random line of  text is a hash. Here is a sample from the CSAW website:

Download Evidence Here [Direct and Torrent]: http://isis.poly.edu/~egavas/csaw2013-hsf/
Download SHA1: 1861d664c1516a6a3e77627832e203deeeb0b049

Note that sometimes the provider will specify the presence of a hash, but other times, the string will appear alone.

What can they be used for?

Since no two hashes can be the same*,   hashes come in handy during digital forensic investigations when a file or image appears in more than one place. Hashes are also helpful in proving that evidence has not been altered since the hash for the original artifact and the hash of the examined artifact can be compared. (If they match, nothing has been compromised!)

*There are some, extreme cases when two different pieces of data can have the same hash. This is called Collision, and is not covered here.

Sample Challenge:

Now that you know a little bit about hashing, let’s make sure you really understand.

Here are two images:

Follow the steps below to find out whether or not  they are identical. Remember, no two distinct pieces of data can have the same hash!

Step 1. Download the images provided and save them

Step 2. Download an Md5 Hash Checker:

  • Use this link http://www.winmd5.com/ to download an MD5 hash checker

  • Select “WinMD5 Freeware Download”

  • Unzip the folder and double click on the WinMD5 Application

Step 3. Follow the on-screen directions to select one of the images you just saved

Step 4. Copy & Paste the file’s MD5 checksum into the “Original file MD5 checksum” box, so you have it for future steps

Step 5. Select the other image you saved

Step 6. Click “Verify”


Do the two hashes match?

The hashes should not match. While the images look the same, I retrieved them from two different websites! The images are not exactly the same. You can use a checker like this one to verify the hashes of all sorts of data including audio files, document files, and even video files.

 

For more information, and more tools, please visit the module for md5deep & hashdeep