Hashing

What is a HASH value?

Is a method of cryptographically calculating the value of a file, a bit like DNA for us humans. HASH algorithms have been around for many years and have been used for many different functions. It has been possible to store hashes of passwords in databases to mask the code itself.

You can see more here Wikipedia HASH-værdi

How do we use it in forensics?

HASH is used to calculate the value of files, so you have a unique value representation for a file. That way you can identify if 2 files are the same.

You often see this if you download an ISO file with for example [Kali linux] (https://www.kali.org/get-kali/#kali-live) and look at SUM. This is the calculated value of the total file "kali.ISO".

When you download the .ISO file, you can calculate the HASH value yourself and compare the value between the calculating value you made together with the value on the supplier's website.

What tools are there?

There are a myriad of tools out there, and many of them made open source or freely available. Below are a few tools that can be used to calculate HASH values ​​at the file and folder level. In the Autopsy program, you can also calculate HASH values ​​and compare with the [NIST database (NSRL)] (https://www.nist.gov/itl/ssd/software-quality-group/national-software-reference-library- nsrl / nsrl-download)

HASHtools calculates HASH for file or multiple files

Enkelt fil sammenlignet med websitet Havde der været mismatch havde linjen været rød!

Dirhash (Calculates HASH for folders + subfolders)

DirHash.exe C:\Users\<username>\Downloads\mappe -sum -t output_mappe -progress
The hash of the defencia.dk files has been calculated here

below is a method to verify the content.

DirHash.exe C:\Users\<username>\Downloads\mappe sha256 -verify output_mappe -progress
verificeret og OK

If you use Linux or Mac, you use the code below

lablo@linux$ sha1sum filnavn

d