Atola Insight Forensic 4.7 is released!
This release comes with the new hashing concept which protects you from damaged target images and works in parallel with the multi-pass imaging engine.
The full list of Atola Insight Forensic 4.7 changes can be found here: Atola Insight Forensic Changelog.
How is segmented hashing different from regular hashing?
With regular hashing, you get a single hash for the entire image.
With segmented hashing, you end up with many hashes of corresponding LBA ranges (chunks) of the image. The sum of these LBA ranges represents the entire image, just not necessarily in sequential order. By validating all hashes in a set, you can still prove that the entire image was not modified.
All segment hashes are saved in a CSV file with the following simple format:
Hash,start LBA,end LBA
75c92419e86ce82734ef3bbb781e6602,0,8388608 e2c7fc5264bae820e46c50b0502236d3,8388609,16777216 42718e48b5adb59563c98727cbce0619,16777217,25165824
… And so on until the last LBA.
Segmented hashes for multi-pass imaging
Conventional hashing algorithms prevent imaging source evidence in a non-linear way, which means no proper hash calculation when imaging damaged evidence drives. Enabling segmented hashing allows the use of multiple passes and more efficient handling of damaged drives, while still hashing all good areas.
Hashes are calculated only for the imaged regions, while all bad sectors are excluded from the calculation.
Another reason to use segmented hashes is to provide for better resiliency against target image data corruption. If your acquired evidence image is damaged at some point in the future, with regular hashes you will get a hash mismatch upon verification, and the entire image becomes useless, whereas with segmented hashes only one hash from a set becomes invalid.
Example – imaging with segmented hashing enabled
Here are imaging results with the link to segmented hashes file.
Segmented hashes are saved in a CSV file with the simple “Hash,start LBA,end LBA” format:
Example – verification of segmented hashes
There is a new operation added to Atola Insight – Verify Segmented Hashes. It is an automated way to take existing CSV files containing segmented hashes and verify all of them against the target image.
Let us take a closer look at the example to see how it works.
Step 1. First, let’s simulate a change of the evidence image. We can do so by selecting the target image and changing one byte at sector #35,000,000.
Step 2. Now we go to Verify Segmented Hashes. Select the file with segmented hashes calculated during imaging and click Start.
Step 3. Hash verification is in progress. Here we see 18 segmented hashes checked. Hash for the interval that includes sector 35,000,000 is invalid.
Step 4. Hash verification finishes with the proper case report automatically created.
If you want to learn more about other 4.7 changes, visit this page: Atola Insight Forensic Changelog.
Where to buy
If you still do not have an Atola Insight Forensic and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:
- Call us: +1 888 540-2010, +1 416 833-3501 10am – 6pm ET
- Or email us: https://atola.com/support/inquiry.html?type=1
P.S. Dear customers, we appreciate your feedback and will take it into account when making changes to the product. Therefore, please feel free to write your thoughts or ideas as comments below.