When creating forensic images, verifying an image’s integrity (i.e., whether or not it is an exact bit-for-bit copy of the original evidence) is very important. Typically, this verification is accomplished via a comparison of the hash value (e.g., MD5, SHA1, SHA2, etc.)
When creating forensic images, verifying an image’s integrity (i.e.,
whether or not it is an exact bit-for-bit copy of the original evidence) is very important. Typically, this verification is accomplished via a comparison of the hash value (e.g., MD5, SHA1, SHA2, etc.) of the original media with the hash value of the resulting forensic image. However, is hashing still a beneficial exercise when creating a “live” forensic image (e.g., creating a DD image of a running server)? When a forensic image is created from a live, running system, will the hash value of the image ever match a hash of the running system’s hard drive? Why or why not? If not, how could you explain this in court?
Looking for a Similar Assignment? Order now and Get 10% Discount! Use Coupon Code "Newclient"
