Computer Systems Forensic Analysis

Hash Values

To guarantee integrity, hash values should be stored.

  • Hash blocks of small size to prevent a single error to invalidate all drive images.

    • e.g. the same size as the acquisition block.

  • In a RAW file; hash values are stored in a separate file.

  • It is always recommended to do a digital signature on the hash values files.

    • Why do you think this is good practice?

Digital signatures.

  • The best tool is GnuPG.

  • If possible, use also a time-stamping server.

PreviousImage File AcquisitionNextData Organization

Last updated