The new era of digital forensic analysis has been experiencing rapid growth in recent years, as the use of computer forensic analysis proved invaluable data in a wide range of legal proceedings. With the persistent societal trend of digitizing all information, such analysis is becoming increasingly very critical in investigating the entire range of illegal activities. Digital forensics is being used not only to investigate computer security system crimes or digital artifact, such as network intrusion, fabrication of data and illegitimate material distribution through digital services. Digital forensics tools apparently use to calculate the hash value of digital evidence drive. MD5 and SHA hash function is used in digital forensic tools to calculate and analyze to verify that a data set has not been altered or manipulated, due to the application of various evidence collection and analysis tools and procedures.
The foremost tool of investigating large volumes of data is hashing—it’s mainly used to validate data integrity and identify the known content. we can ideally say that the Hash function takes an arbitrary string of binary data and produces a number, often called a digest, in a predefined range of codes. Simply, it provides a set of different inputs; the hash function will map them to different outputs. Instinctively, a hash function is to be called as a collision resistant of finding two different inputs with the same output is systematically infeasible. Cryptographic hash functions, such as MD5, RIPEMD-160, SHA-1, SHA-256, and SHA-512, are clearly designed to produce large, 128- to 512-bit results.
Basic Digital Forensic Science:-
What is Hash Value?
Hash value refers as the result of a calculation (hash algorithm) that can be performed on a string of text, electronic file or entire hard drives contents. It s also defined as a checksum, hash code or hashes. Hash values are used to recognize and pass through a filter duplicate files (i.e. email, attachments, and loose files) from an ESI collection or verify that a forensic image or clone was captured successfully. The hash value represents in brief the longer message or document from which it was computed; one can think of a message digest as a “digital fingerprint” of the larger document. Hash functions are also being used for creating digital signatures, hash tables and short condensations of text for analysis purposes. It is also known as “cryptographic hash functions. A In each and every step of hashing algorithm uses a specific number of bytes to store a “thumbprint” of the contents.
Significance of Hashing in Data Forensic:
Hashing is a primary tool in digital forensic investigations in which hash value are being used to check the integrity of any data file but, in digital forensic it is used to check the reliability of evidence disk data. The image of a disk is created in digital forensic for analysis so, it is essential that the image have exactly or replica of evidence disk. The hash value generated during imaging should match when that image of evidence disk is extracted for final detailed analysis. In digital forensic hash value is generated for whole disk data not only single or multiple files with the help of clever design.
The proposed framework of finding evidence for system tampering, data hiding or deleting utilities, unauthorized system modifications etc. should also performed. Detecting and recovering hidden or obscured information is a major tiresome task involved in the process of hashing. Data should be searched and analyzed for recovering passwords, finding unusual hidden files or directories, file extension and signature mismatches etc. while searching the above said information from an evidence disk the forensic software is also create the hash value of the whole drive to check the integrity of the disk.