Segmented hashing is a concept introduced into forensic imaging by Atola Technology in November of 2016.

This method of hashing allows verifying data imaged from damaged media, ensuring that the image can be verified even if data gets corrupt later in the case’s life cycle.

How does it work?

With the conventional hashing method, it is impossible to calculate hash for the entire space of a damaged evidence drive: linear hashing will stop upon encountering the first bad sector.

Segmented hashing can be performed during multi-pass imaging of a damaged drive. This method produces a set of hash values for individual LBA ranges of the evidence drive and the image. Hashes are calculated only for the successfully imaged areas, while all bad sectors are excluded from the calculation.

With segmented hashing, you can prove that the entire image has not been tampered with by verifying all hashes in a set, even if your evidence drive is damaged, or if the data in the image gets corrupt over time: only one the hash for the damaged segment of the drive becomes invalid.

Segmented hashing produces a CSV file in this format:

Hash,start LBA,end LBA

 

A table with segmented hashes: hash value, first LBA, last LBA

Imaging with segmented hashing and post-hashing of the target for immediate image verification

In the imaging settings, select Segmented hashing method and sector size: you can select size from a range of options (4 to 32 GB).

Make sure to enable post-hash of the target and receive both sets of hashes for both the evidence drive and image.

Atola TaskForce: selecting hashing method

TaskForce’s highly optimized imaging and hashing algorithms ensure that hashing during imaging does not slow down the session:

Task Force: imaging session

After imaging is completed, post-hashing will commence.

Atola TaskForce: Post-hashing

Here are imaging results with the link to the file with segmented hashes. With the post-hashing of the target is enabled, you also receive the results of cross-checking between the hash sets of the evidence drive and the image.

Atola TaskForce: Imaging results

Is there any disadvantage compared to linear hashing?

The only potential downside of segmented hashing is the lack of its support in third-party tools. To make verification of segmented hashes easy, we have developed and released a free open-source tool for the validation of segmented hashes: seghash on GitHub.

Yulia Samoteykina
Latest posts by Yulia Samoteykina (see all)
Categories: Atola TaskForce

Yulia Samoteykina

Director of Marketing Yulia believes that with a product that is exceptionally good at solving tasks of forensic experts, marketing is about explaining its capabilities to the users. Yulia regularly represents Atola at DFIR events, holds free workshops and webinars about Atola imagers functionality and advocates on the users' behalf to ensure that Atola keeps on adding value and raising the bar for the industry.

Leave a Reply

Your email address will not be published. Required fields are marked *