How to Calculate Hash Value

Jul 22, 2016 | 6:54 am

Published by | Chandan Singh

Hash Value Calculation

what is Hash?
Hashing is a method for reducing large inputs to a compact fixed size output. When you are performing forensics, typically cryptography hashing algorithms like MD5 and SHA-1 are used. These functions have a few properties useful to forensics. There are lots of online services that allow you to enter a hash code and discover what the preimage might have been.

Why you should calculate hashes
You may face situations in which you want to ensure that a file is the same version and has the same content as another file (e. g., when you send folders or data to someone, you want to make certain it have not been corrupted or altered). A hash is an alphanumeric string that’s made according to a file’s contents. In case the file has been changed in any way, the hash value changes as well.

Steps to calculate hash of Storage Drive

Step 1: Download FTK Imager Version 3.2.0 from http://marketing.accessdata.com/ftk-imager-3.2.0-download and submit required information and click on submit then its send download link on your email ID which you input earlier.
Open Your Email Account and Download “Access Data FTK Imager 3.2.0”  and install them.
And Run that application

hash1

Step 2: Click on File Menu and go to “Add Evidence Item”

hash2

Step 3: Then Select Source Evidence Type (e.g. We are using Physically Drive)

hash3

Step 4: Select Source Drive Selection. In this section, you can add any physical hard disk like the computer hard disk, pen drive, memory card etc.

hash4

Step 5: Then The Physical Drive is added on Evidence Tree, now right click on your physical drive and click on Verify Drive/Image…

hash5

Step 6:  Now its verify the Physical Drive, and take some time according to your drive capacity.

hash7

Step 7: Now you can see that there are MD5 and SHA1 Hash of your Physical Drive.

hash8

NOTE: Make use of the “Verify Image/Device” function. The natural way, simply attaching your thumb drive to Windows could possibly change the device hash, so I would recommend you do this using the Linux method from a forensic build disk, or use a write blocker (Device for purpose of gaining read-only access to computer hard drive without the take risks of tampering or damaging the drive’s contain) under windows.