Atola Insight Forensic
Segmented hashing is a new hashing concept, which enables to hash damaged source drives and avoid losing a target image if part of the data gets corrupted. This hashing method can be used during multi-pass imaging of damaged drives.
How is segmented hashing different from regular hashing?
With regular hashing, you get a single hash for the entire image.
With segmented hashing, you end up with many hashes of corresponding LBA ranges of the image. The sum of these LBA ranges represents the entire image, though not necessarily in sequential order. You can still prove that the entire image has not been modified by verifying all hashes in a set.
Segmented hashes are saved in a CSV file in this format:
Hash,start LBA,end LBA
... And so on until the last LBA.
Segmented hashes for multi-pass imaging
Conventional hashing method prevents imaging source evidence in a non-linear way, which means no proper hash calculation when imaging damaged evidence drives. Segmented hashing allows the use of multiple passes and a more efficient handling of damaged drives, while hashing all good areas.
Hashes are calculated only for the imaged areas, while all bad sectors are excluded from the calculation.
Another reason to use segmented hashes is to ensure better resiliency against data corruption in the image. If your acquired evidence image gets damaged in the future, with a regular linear hash you will get a hash mismatch upon verification, and the entire image will become useless. With segmented hashes only the hash for one segment in the set will become invalid.
Example: Imaging with segmented hashing
Here are imaging results including a link to the file with segmented hashes.
Segmented hashes are saved in a CSV file in "Hash,start LBA,end LBA" format: