→
What is a hash value?
A way of cryptographically calculating the value of a file — a bit like DNA for humans. Hash algorithms have existed for many years and are used for many things, including masking stored passwords.
→
How we use it in forensics
Hashing produces a unique value for a file, so you can identify whether two files are the same. You see this when downloading an ISO (e.g. Kali Linux) and checking the SUM — calculate the hash yourself and compare it to the vendor's published value. In Autopsy you can hash files and compare against the NIST NSRL database.
→
Tools
A myriad of free / open-source tools exist.
| Tool | Use |
|---|---|
| HashTools | Calculate hash for one or many files; red line on mismatch. |
| DirHash | Calculate hashes for folders + subfolders. |
| Autopsy / NSRL | Hash files and compare against the NIST National Software Reference Library. |
DirHash.exe C:\Users\<username>\Downloads\folder -sum -t output_folder -progressDirHash example — hash a folder tree with progress output.