Contact
contact@mailxaminer.com
+1 888 900 4529

Forensics Hash Analysis

Need of Forensics Hash Algorithms in Digital Crime Investigation


During the digital forensic investigation most of the forensic tools calculate the forensics hash values of the collected data. The most commonly using forensics hash algorithms are SHA1,MD5 and SHA256. These forensics hash analysis is used to verify the collected evidences are not modified or altered.


Why You Need SHA1 for Forensic Investigation


SHA-1 (Secures Hash Algorithm 1) is a hash function algorithm developed by National Security Agency US to check the integrity of the data. The SHA1 forensics hash algorithms take input and generate 160 bit hash value known as message digest. SHA1 is a complex form of checksum algorithm. The main speciality of the SHA1 hash value is it genrate 160 bit hash value that is it very longer in size. Because of this It is ver difficult to break this value. Most of the big companies use SHA1 hash algorithm for password verification.


SHA1 forensics hash algorithms


In Digital Forensic Investigation the hash values are used for identification, verification, and authentication of digital data. Forensic hash is the process of applying a mathematical function to the collected data and it will generate a hash value which act as the unique identifier of the data. If any changes are done on the data it will change the hash value also. The two common examples for the usage of the SHA1 hash algorithm is the Login verification and File verification.

  • Login verification: When you create an account in website it will generate a unique identifier corresponding to the User name & Password that you given. That is with the help of SHA1 hash it change your data into a checksum. When ever you try to login it will compare the checksum with the value stored in the database.
  • File verification: During a file downloading using the SHA1 checksum of the file the user can easily verify that the downloaded file is exactly same to the expected and no changes occurred in it.

In digital forensics investigation the SHA1 message digest is used as a checksum value during the acquisition of electronic data. This value helps to verify the integrity of the collected evidence data. That is whether the data is changed by anyone. If anyone try to manipulate the data automatically the SHA1 forensics hash values wil also change. Hence the comparison of SHA1 values will help to detect this modification and it has become the most helpful tip for the investigation agents.


SHA1 Algorithm Analysis with Forensics Software


In this email foresics tool, SHA1 forensics hash algorithms implementation helps the agents to identify the emails within second. Which helps the Investigators to analyse and detect falsified email data by the direct comparison of the SHA1 value of each email data. And also the user can filter the email data from the bulk set email with the help of this SHA1 option. The one condition for directly access the SHA1 message digest is the SHA1 option should be enable during the scanning process.Follow the below section to analyse the email data based on the SHA1 forensics hash values.

Step 1: Add File

Once, if the new case is created, you will get the window as shown below for loading the corresponding file to scan. Using 'Add Evidence' option, load the file.

Add File

Step 2: Browse File

Here, you can choose the type of the file to be scanned and browse the file from the respective location.

Browse File

Step 3: Setting SHA1 Option

You can set the SHA1 option from the 'Scan Settings' option in the Add File window. When you opt for settings option, the following panel appears. Under Hash Settings, you will get a SHA1 hash algorithm option to check.

Setting SHA1 Option

Step 4: Enabled SHA1

If the SHA1 option is checked and saved then, tool will scan the file. Once when the file is scanned, you can view the file. The enabling of the SHA1 algorithm option will give you the message digest of each emails generated by SHA1 forensics hash algorithms as the following.

Enabled SHA1

Step 5: Disabled SHA1

Suppose, if the SHA1 option is not checked then, you won't get the preview of SHA1 value. The preview of the emails will be as shown.

Disabled SHA1

Step 6: Search with SHA1 Value

Software provides the users search filter option to search the email from the bunch of emails. You can search for the mail by using SHA1 value. Type the corresponding SHA1 forensics hash values and the corresponding email will be listed thus; provides easy search.

 Search with SHA1 Value

Step 7: View SHA 256 Hash Value Files

Now software allow to view the hash SHA256 Value associated with files. To View user need to Select the file and click right to Preview the email file.

Note: This version of tool doesn't display the SHA 256 Values of SKYPE entries ( Chat/ Call/ SMS )

View Hash Value


MD5 Hash Algorithm in Forensic Investigation


MD5 (Message Digest Algorithm 5) is the widely using hash algorithm, initially created as a cryptographic hash function. It is also known as the one way cryptographic hash function because it accept of message of arbitrary length and generate MD5 hash digest of 128 bit, mainly used for authenticating the original message. During the digital forensics investigation, MD5 is also used as the forensics hash algorithms to check the integrity of the evidence using MD5 hash value.


MD5 hash value


MD5 is designed by Ronald Rivest as an improvement for the MD4 algorithm. MD5 message digest algorithm intended for digital signature applications where the large files need to compress before the encryption. The MD5 forensics hash values is using as the checksum for checking the message data integrity and detect the unintentional data corruption by comparing the hash value. And also used for the non-cryptographic use like to find the partition on particular key.


Characteristics of MD5 hash algorithm


  • It is also known as the one way hash function.
  • Accept arbitrary message and generate fixed length message digest.
  • It is the extension of MD4 algorithm.

MD5 forensics hash algorithms is commonly used for two functions such as “Data Integrity Check, Validation of Emails”.

Data Integrity check: MD5 forensics hash values help the investigators to verify that the data or the evidence they collected is not alter by anyone. The comparison of MD5 hash digest helps to find the the changes occurred on the original data and check for the misplaced bite during the transfer of important files.

Validation of Emails: Another important application of MD5 is verifying that the correct email data received in receiver side. Fore this the sender will generate a MD5 message digest using the private key and send to receiver. In the receiver side user will verify the data by regenerating the digest using public key and compare with the received hash value.


MD5 Forensics Hash Analysis with Forensics Software


MD5 forensics hash algorithms help the investigators to compare and verify the integrity of the digital evidence during the cybercrime investigation. The inbuilt feature of the computer forensics tool automatically calculate the MD5 forensics hash values. This makes the analysis process easy by saving processing time. This section will help you to understand how the forensics hash analysis can perform with the help of forensic tool.

Step 1: Add Evidence


Through the Add Evidence option of the forensics hash analysis tool user can easily add the email data. And it allow to add the evidence trough various file formats. Either brows the file into the software or directly access the email accounts to add the data.

Add Evidence


Step2: MD5 Hash Option


From the Scan Setting option of the tool user can select the MD5 option for access the forensic hash value. This option allow to enable and disable the MD5 value according to the need of the investigation process.


MD5 Hash Option


Step3: MD5 Hash Value


If you enable the MD5 option from the scan setting. It will give you the MD5 digest value of each email data.

MD5 Hash Value


Step4: Search by MD5 Value


The enabling of the MD5 forensics hash algorithms help you to directly search/ filter the email message using its MD5 hash digest.

Search by MD5 Value


Step5: Preview the Evidence with MD5 Value


The tool also allow you to perform MD5 forensic hash analysis through the preview option. That is the Properties view of the software allows the investigators to examine and perform forensics hash analysis by MD5 hash digest.


Evidence with MD5



SHA256 Forensics Hash Algorithms


SHA256 (Secure Hash Algorithm 256) is hash algorithm with the digest length 256 bit. SHA2565 is also a member of SHA-2 family & is set of cryptographic hash functions designed by United State National Security Agency (NSA). SHA256 forensics hash algorithms is novel hash function computed with 32 and 64 bit data. which is using the Merkle–Damgad structure to generate the message digest.


SHA256 Forensics Hash Algorithms


SHA256 forensics hash values are commonly used for authentication, verifying the transactions and calculating the proof of work. In digital forensic investigation the SHA256 hash digest is used to verify the integrity of the evidence data. That is ensuring the collected digital evidence are original and which are not modified.


MD5 Forensics Hash Analysis with Forensics Software


MD5 forensics hash algorithms help the investigators to compare and verify the integrity of the digital evidence during the cybercrime investigation. The inbuilt feature of the computer forensics tool automatically calculate the MD5 forensics hash values. This makes the analysis process easy by saving processing time. This section will help you to understand how the forensics hash analysis can perform with the help of forensic tool.

Step 1: Add Evidence

Click on the Add evidence option to insert the evidence file into the email forensics tool. It allows to add the evidence trough different file formats or by directly access the email accounts.

Add Evidence File


Step2: SHA256 Option


Through the settings user can enable or disable the SHA256 forensics hash algorithms option. The enabling of the SHA256 option will automatically calculate the message digest value of each email data.


SHA256 Option


Step3: SHA256 Forensics Hash Analysis


To examine the calculated SHA256 hash value user needs to open the email data. The corresponding hash value can access through the Properties view of the evidence data.

SHA256 Hash Analysis