Segmented Hashing

Atola Insight Forensic can perform hash calculation for both source and target drives simultaneously. It supports two hashing methods: Linear and Segmented.

Supported hash types: MD5, SHA1, SHA224, SHA256, SHA384, SHA512

How is segmented hashing different from linear hashing?

With linear hashing, you get a single hash for the entire image.

With segmented hashing, hash is calculated for segments of the drive, and you end up with many hashes of corresponding LBA ranges (chunks) of the image. The sum of these LBA ranges represents the entire image, just not necessarily in sequential order. By validating all hashes in a set you can still prove that the entire image has not been modified.

Why use segmented hashing

There are two primary use cases:

1. Segmented hashes support multipass imaging and handling of bad sectors.

Hashes are calculated only for the imaged regions, while all bad sectors are excluded from the calculation. This allows validating a hash even when the source drive is damaged.

2. Better resiliency against data corruption.

If your acquired image gets damaged at some point in the future, with regular hashes you will get a hash mismatch upon verification and the entire image becomes useless. With segmented hashing, only a single hash value will become invalid while the rest of the image can still be validated.

Segmented hashing in Imaging settings

Format

All hashes are saved in a CSV file with the following format:

Hash,start LBA,end LBA

Example:

75c92419e86ce82734ef3bbb781e6602 ,0,8388608
e2c7fc5264bae820e46c50b0502236d3 ,8388609,16777216
42718e48b5adb59563c98727cbce0619 ,16777217,25165824
... And so on until the last LBA.

Chunk size

A new chunk is created by Atola Insight Forensic in one of two cases:

  1. Bad sector or any other error occurred during imaging
  2. Pre-defined chunk size limit (4 GB by default)

In both cases, existing hash value and LBA range are saved and a new hash is started.

Verify segmented hashes

Atola Insight Forensic helps verify existing CSV file containing segmented hashes against any target image. As a result, you receive the quantity of matched/mismatched segmented hashes. So even if a single hash value become invalid, it ensures the rest of the image can still be validated.

Mismatch found during hash verification

Are there any disadvantages compared to regular hashing?

The only disadvantage is that you end up with multiple hashes instead of a single hash value. This can pose an issue when validating such hash values with third-party tools. For this reason we have released a free open-sourced tool for validating segmented hashes:

seghash on GitHub

Calculate Hash

Atola Insight can perform hash calculation for both source and target drives simultaneously via a Calculate Hash menu. Moreover, MD5+SHA1 or MD5+SHA256 can be calculated on each drive at the same time. Segmented hash can be calculated simultaneously with Linear or separately.

Supported hash types: MD5, SHA1, SHA224, SHA256, SHA384, SHA512

Hash calculation