Atola Insight Forensic
Segmented hashing is a new hashing concept, which enables to hash damaged source drives and avoid losing a target image if part of the data gets corrupted. This hashing method can be used during multi-pass imaging of damaged drives.
How is segmented hashing different from regular hashing?
With regular hashing, you get a single hash for the entire image.
With segmented hashing, you end up with many hashes of corresponding LBA ranges of the image. The sum of these LBA ranges represents the entire image, though not necessarily in sequential order. You can still prove that the entire image has not been modified by verifying all hashes in a set.
Segmented hashes are saved in a CSV file in this format:
Hash,start LBA,end LBA
... And so on until the last LBA.
Segmented hashes for multi-pass imaging
Conventional hashing method prevents imaging source evidence in a non-linear way, which means no proper hash calculation when imaging damaged evidence drives. Segmented hashing allows the use of multiple passes and a more efficient handling of damaged drives, while hashing all good areas.
Hashes are calculated only for the imaged areas, while all bad sectors are excluded from the calculation.
Another reason to use segmented hashes is to ensure better resiliency against data corruption in the image. If your acquired evidence image gets damaged in the future, with a regular linear hash you will get a hash mismatch upon verification, and the entire image will become useless. With segmented hashes only the hash for one segment in the set will become invalid.
Example: Imaging with segmented hashing
Here are imaging results including a link to the file with segmented hashes.
Segmented hashes are saved in a CSV file in "Hash,start LBA,end LBA" format:
Example: Verification of segmented hashes
Verify Segmented Hashes option is an automated way to take an existing CSV file containing segmented hashes and verify the hashes against the image.
This is how it works:
Step 1. First, let's simulate a change of the evidence image. We can do so by selecting the image and changing one byte at sector #35,000,000.
Step 2. Now we go to Verify Segmented Hashes subcategory of the Hashing category in the left-side menu, select the file with segmented hashes calculated during imaging and click Start.
Step 3. Hash verification is in progress. Here we see 18 segmented hashes checked. Hash for the interval that includes sector 35,000,000 is invalid.
Step 4. Hash verification ends with the proper case report automatically created.