Some source evidence drives and their images can be involved in a long-running investigation case and wait to be presented in court for months or years on end. Data stored on such drives and their image files may eventually get corrupt. Therefore it may be critical for an investigator to ensure the integrity of data on such devices or image files before resuming to work with them or presenting them in court.

Over the years, E01 file format has become a popular format for forensic purposes due to its ability to store not both the image of the drive, but also case and evidence details. E01 file can also contain both MD5 and SHA-1 hash values.

To view the previously calculated hash calculated for an E01 file with Atola TaskForce, open the imaging report in the case management system. It contains the hash values calculated during imaging.

Alternatively, you can look up the metadata stored in the E01 file itself:

  1. Open Devices menu by clicking the Devices button in the top bar.
  2. Click Select file box in the File category.
  3. Select the E01 file in the file browser.

Hash calculated during imaging stored in E01 file’s metadata

 

To ensure the integrity of the data in the file, you can recalculate its hash.

  1. Click Hash in the left-side task menu. This will open the devices to choose the one for which you want to calculate hash.
  2. Click Select file box in the File category.
  3. Select the E01 file in the file browser.
  4. Make sure to select the same hashing types (MD5, SHA1, etc.)
  5. Click Start button

Start hash calculation

 

Adjust hashing settings and start hash calculation by clicking the Start button.

When the hash calculation is completed, you can make sure that the two sets of hashes are identical.

Compare the calculated hash values to the ones calculated during imaging