Segmented hashing is a concept introduced by Atola Technology into forensic imaging in November of 2016. Segmented hashing allows hashing damaged drives and ensure that the image can be verified even if the data gets corrupt later in the case’s life cycle.
With regular hashing, you get a single hash value for the entire image.
Segmented hashing can be used during multipass imaging of damaged drives. This method produces a multitude of hash values for individual LBA ranges of the evidence drive and the image. And the sum of these LBA ranges represents the entire image. Even if your evidence drive is damaged, or if the data in the image gets corrupt over time, you can prove that the entire image has not been tampered with by verifying all hashes in a set.
Segmented hashing produces a CSV file in this format:
Hash,start LBA,end LBA
Segment size can be selected from a range of options (from 4 to 32 GB). A new segment begins with the first sector following either the previous segment or a bad sector.
With the conventional hashing method, it is impossible to calculate hash for the entire space of the source evidence drive, as the linear hashing will stop upon encountering the first bad sector. Therefore no proper hash calculation is possible during the imaging of damaged evidence drives.
With segmented hashing, hashing can be performed during the multipass imaging of a damaged drive. Hashes are calculated only for the successfully imaged areas, while all bad sectors are excluded from the calculation.
Even if your evidence drive is in good condition at the time of imaging, the segmented hashes may provide for better resiliency against image data corruption.
If your acquired image is damaged at a later time, you will get a hash mismatch when verifying the regular hashes. As a result, the entire image becomes useless. But with segmented hashing, only the hash value for the damaged segment of the drive becomes invalid.
The only potential downside of segmented hashing is the lack of its support in third-party tools. To make verification of segmented hashes easy, we have developed and released a free open-source tool for the validation of segmented hashes: seghash on GitHub.
In the imaging settings, select segmented hashing method and make sure to enable post-hash of the target. This way you receive both sets of hashes for both the evidence drive and image.
TaskForce's highly optimized imaging and hashing algorithms ensure that hashing during imaging does not slow down the session:
After imaging is completed, post-hashing will commence.
Here are imaging results with the link to the file with segmented hashes. With the post-hashing of the target is enabled, you also receive the results of cross-checking between the hash sets of the evidence drive and the image.