3.1 - Evidence Verification #
3.1 What is the SHA1 hash of the desktop image? #
This is one of the most critical parts of computer forensics, validating the evidence. The weakest point in any investigation is the integrity of the data, so validation is essential.
Validating digital evidence requires using a hashing algorithm utility which is design to create a binary or hexadecimal number that represents the uniqueness of the data set. Because hash values are unique, if two files have the same hash values, they are identical. (Collisions are out of scope of this course).
MD5 and SHA1 are the two most popular hashing algorithms used today to verify the integrity of a given piece of evidence.
There are several tools that can be used to calculate the digital footprint of the evidence file.
1.1 Using FTK Imager #
Open FTK Imager.
Go to File > Add Evidence Item.
Choose “Image File” then Next.
Browse and find the E01 evidence file then Next.
Right click on the item under the Evidence Tree and select “Verify Drive/Image”.
The process will begin.
1.2 MUS-CTF-19-DESKTOP-001.E01.txt #
This text file was included with the evidence and contains the metadata that is embedded into the E01 file. This file contains the Image information and checksums as well as the verification results.
1.3 Could we just use PowerShell to do this? #
The Get-FileHash cmdlet computes the hash value for a file by using a specified hash algorithm.
Open a PowerShell command prompt.
Browse to the location of the E01 file on your system.
Run the following command.
Get-FileHash MUS-CTF-19-DESKTOP-001.E01 -Algorithm SHA1 | Format-List
Review the output which should match the output below.
PS F:\> Get-FileHash MUS-CTF-19-DESKTOP-001.E01 -Algorithm SHA1 | Format-List Algorithm : SHA1 Hash : CCB80231AC0E748C14070BC472E5F08053360C08 Path : F:\MUS-CTF-19-DESKTOP-001.E01
Why doesn’t this match our other values we found from FTK Imager?