Segmented Hashing

Segmented hashing is a concept introduced by Atola Technology into forensic imaging in November of 2016. Segmented hashing allows hashing damaged drives and ensure that the image can be verified even if the data gets corrupt later in the case’s life cycle.

How does it work?

With regular hashing, you get a single hash value for the entire image.

Segmented hashing can be used during multipass imaging of damaged drives. This method produces a multitude of hash values for individual LBA ranges of the evidence drive and the image. And the sum of these LBA ranges represents the entire image. Even if your evidence drive is damaged, or if the data in the image gets corrupt over time, you can prove that the entire image has not been tampered with by verifying all hashes in a set.

Segmented hashing produces a CSV file in this format:

Hash,start LBA,end LBA

A table with segmented hashes.

Segment size can be selected from a range of options (from 4 to 32 GB). A new segment begins with the first sector following either the previous segment or a bad sector.

Segmented hashes for multipass imaging

With the conventional hashing method, it is impossible to calculate hash for the entire space of the source evidence drive, as the linear hashing will stop upon encountering the first bad sector. Therefore no proper hash calculation is possible during the imaging of damaged evidence drives.

With segmented hashing, hashing can be performed during the multipass imaging of a damaged drive. Hashes are calculated only for the successfully imaged areas, while all bad sectors are excluded from the calculation.

Better resiliency

Even if your evidence drive is in good condition at the time of imaging, the segmented hashes may provide for better resiliency against image data corruption.

If your acquired image is damaged at a later time, you will get a hash mismatch when verifying the regular hashes. As a result, the entire image becomes useless. But with segmented hashing, only the hash value for the damaged segment of the drive becomes invalid.

Is there any disadvantage compared to linear hashing?

The only potential downside of segmented hashing is the lack of its support in third-party tools. To make verification of segmented hashes easy, we have developed and released a free open-source tool for the validation of segmented hashes: seghash on GitHub.

Example: Imaging with segmented hashing and instant verification of target

In the imaging settings, select segmented hashing method and make sure to enable post-hash of the target. This way you receive both sets of hashes for both the evidence drive and image.

Enabling segmented hashing and post-hashing of the target in imaging settings.

Enabling segmented hashing and post-hashing of the target in imaging settings.

TaskForce's highly optimized imaging and hashing algorithms ensure that hashing during imaging does not slow down the session:

Imaging with segmented hashing runs at the speed of over 500 MB/s.

Imaging with segmented hashing runs at the speed of over 500 MB/s.

After imaging is completed, post-hashing will commence.

Post-hashing runs upon completion of imaging.

Post-hashing runs upon completion of imaging.

Here are imaging results with the link to the file with segmented hashes. With the post-hashing of the target is enabled, you also receive the results of cross-checking between the hash sets of the evidence drive and the image.

Imaging report provides links to the location of the CSV files with segmented hashes.

Imaging report provides links to the location of the CSV files with segmented hashes.