Cryptographic Hashing - Diagram 3

Cryptographic Hashing in Digital Forensics

One of the most common methods used by investigators includes cryptographic hashing, which is a good method used to show that an evidence has not changed. Any file obtained must be immediately hashed, that includes packet captures and log files. According to Messier(2017, p. 5) : “The best way to demonstrate that evidence has not changed from the point of acquisition is to use a cryptographic hash.”

This illustration which I made here shows the hashing process used in the digital forensics context. It shows evidence of a string 'SECRET CRIME PLANS' saved in a text document. Then it shows a varying path in which one data is modified while the other remains unaltered. As seen, the digest or in other words, the hash function differs as the data in the text file is altered. This digest then is cross-referenced with the digest of the evidence file which was saved at the beginning of the investigation.

                                                                                                                                                                      (Author's Work)

To further elaborate, in this procedure two separate files were made. Both had the same 'SECRET CRIME PLANS' text in them and when the checksum, which is yet another name for the digest, is were compared both were identical.

NOTE: METADATA DOES NOT AFFECT HASH VALUE SO FILENAME CAN DIFFER.

However, when one of them was altered which is the example shown in the diagram 'SECRT CRIE PANS', the digest differed as shown below.

Reference:

Messier, R., (2017). Network Forensics. [Place of publication not identified]: Wiley & Sons, p.5.