Call us now: 888 540-2010,  416 833-3501   10am – 6pm ET

General Information
DiskSense Unit
Extensions
Battery
Supported Drives
Version Log

Ordering

Place an Order
Lifetime Warranty

Features

Disk Diagnostics
Disk Duplication
Selective Head Imaging
Password Removal
Segmented Hashing
Scripting
Case Management
Bad Sector Recovery
File Recovery
Firmware Recovery
Disk Utilities
Multi-Tasking

Information

Quickstart
Screencasts
FAQ

Segmented Hashing

Segmented hashing is a new hashing concept, which enables to hash damaged source drives and avoid losing a target image if part of the data gets corrupted. This hashing method can be used during multi-pass imaging of damaged drives.

How is segmented hashing different from regular hashing?

With regular hashing, you get a single hash for the entire image.

With segmented hashing, you end up with many hashes of corresponding LBA ranges of the image. The sum of these LBA ranges represents the entire image, though not necessarily in sequential order. You can still prove that the entire image has not been modified by verifying all hashes in a set.

Segmented hashes are saved in a CSV file in this format:

Hash,start LBA,end LBA

Example:


75c92419e86ce82734ef3bbb781e6602,0,8388608
e2c7fc5264bae820e46c50b0502236d3,8388609,16777216
42718e48b5adb59563c98727cbce0619,16777217,25165824

... And so on until the last LBA.

Segmented hashes for multi-pass imaging

Conventional hashing method prevents imaging source evidence in a non-linear way, which means no proper hash calculation when imaging damaged evidence drives. Segmented hashing allows the use of multiple passes and a more efficient handling of damaged drives, while hashing all good areas.

Hashes are calculated only for the imaged areas, while all bad sectors are excluded from the calculation.

Segmented hashing in Imaging

Better resiliency

Another reason to use segmented hashes is to ensure better resiliency against data corruption in the image. If your acquired evidence image gets damaged in the future, with a regular linear hash you will get a hash mismatch upon verification, and the entire image will become useless. With segmented hashes only the hash for one segment in the set will become invalid.

Example: Imaging with segmented hashing

Here are imaging results including a link to the file with segmented hashes.

Segmented hashes are saved in a CSV file in "Hash,start LBA,end LBA" format:

Segmented hashes in CSV file

Example: Verification of segmented hashes

Verify Segmented Hashes option is an automated way to take an existing CSV file containing segmented hashes and verify the hashes against the image.

This is how it works:

Step 1. First, let's simulate a change of the evidence image. We can do so by selecting the image and changing one byte at sector #35,000,000.

Change one byte in Disk Editor

Step 2. Now we go to Verify Segmented Hashes subcategory of the Hashing category in the left-side menu, select the file with segmented hashes calculated during imaging and click Start.

Step 3. Hash verification is in progress. Here we see 18 segmented hashes checked. Hash for the interval that includes sector 35,000,000 is invalid.

Segmented hash verification in progress

Step 4. Hash verification ends with the proper case report automatically created.

Segmented hash verification report


Back to Atola Insight Forensic User's Manual

Back to Atola Insight Forensic Customer's Page