sop-hash-generation-methods.md

type	sop
title	Hash Generation Methods for Evidence Integrity
description	Forensic hashing guide: SHA-256, SHA-3, BLAKE2/3, MD5/SHA-1 deprecation, file integrity verification, chain of custody & cryptographic hashing for digital evidence preservation.
tags	sop hashing forensics integrity evidence chain-of-custody cryptography
updated	2026-04-26
template_version	2026-04-26

Hash Generation Methods for Evidence Integrity

Table of Contents

1. Command Line Tools (Primary Methods)
2. Forensic Tools (Professional Methods)
3. Third-Party Tools
4. Hash Algorithm Selection
5. Evidence Collection Workflow
6. Advanced Use Cases
7. Troubleshooting & Common Issues
8. Chain of Custody Best Practices
9. Integration with Forensic Tools
10. Tools Reference
11. Reference Resources

---

Overview

Purpose: Hash values provide cryptographic fingerprints of digital evidence, ensuring integrity, authenticity, and non-repudiation throughout the investigation lifecycle. Any modification to the file will result in a completely different hash value, making tampering immediately detectable.

Use Cases:

• Evidence acquisition and chain of custody verification
• Malware sample identification and deduplication
• File integrity monitoring in incident response
• Data transfer verification (network/physical media)
• Court admissibility of digital evidence (Daubert/Frye standards)

---

1. Command Line Tools (Primary Methods)

Windows - CertUtil

Basic hashing:

# SHA-256 (Recommended for forensics)
certutil -hashfile "evidence.bin" SHA256

# Output:
# SHA256 hash of evidence.bin:
# a1b2c3d4e5f6789012345678901234567890123456789012345678901234567890
# CertUtil: -hashfile command completed successfully.

# Multiple algorithms at once (batch script)
@echo off
echo Hashing: %1
certutil -hashfile "%1" MD5 | findstr /v "hash CertUtil"
certutil -hashfile "%1" SHA1 | findstr /v "hash CertUtil"
certutil -hashfile "%1" SHA256 | findstr /v "hash CertUtil"
certutil -hashfile "%1" SHA512 | findstr /v "hash CertUtil"

# Save to file with timestamp
certutil -hashfile "evidence.bin" SHA256 > "%DATE:/=-%_%TIME::=-%_evidence_hash.txt"

Batch processing multiple files:

# Hash all files in directory
for %f in (C:\Evidence\*) do @certutil -hashfile "%f" SHA256 | findstr /v "hash CertUtil" >> evidence_hashes.txt

# With filenames
for %f in (C:\Evidence\*) do @echo %f && certutil -hashfile "%f" SHA256 | findstr /v "hash CertUtil"

Windows - PowerShell

Single file hashing:

# SHA-256 with clean output
Get-FileHash -Path "evidence.bin" -Algorithm SHA256 | Format-List

# Output:
# Algorithm : SHA256
# Hash      : A1B2C3D4E5F6789012345678901234567890123456789012345678901234567890
# Path      : C:\Evidence\evidence.bin

# Just the hash value
(Get-FileHash -Path "evidence.bin" -Algorithm SHA256).Hash

# Multiple algorithms
@('MD5', 'SHA1', 'SHA256', 'SHA512') | ForEach-Object {
    $hash = Get-FileHash -Path "evidence.bin" -Algorithm $_
    Write-Output "$($_): $($hash.Hash)"
}

Batch processing and export:

# Hash all files in directory tree
Get-ChildItem -Path "C:\Evidence" -Recurse -File |
    Get-FileHash -Algorithm SHA256 |
    Select-Object Algorithm, Hash, Path |
    Export-Csv -Path "evidence_hashes.csv" -NoTypeInformation

# Generate verification report
Get-ChildItem -Path "C:\Evidence" -Recurse -File | ForEach-Object {
    $hash = Get-FileHash -Path $_.FullName -Algorithm SHA256
    [PSCustomObject]@{
        Timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
        Filename = $_.Name
        Path = $_.FullName
        Size = $_.Length
        Created = $_.CreationTime
        Modified = $_.LastWriteTime
        SHA256 = $hash.Hash
        Analyst = $env:USERNAME
    }
} | Export-Csv -Path "evidence_manifest.csv" -NoTypeInformation

# Compare hash against known value
$knownHash = "a1b2c3d4e5f6789012345678901234567890123456789012345678901234567890"
$currentHash = (Get-FileHash -Path "evidence.bin" -Algorithm SHA256).Hash
if ($currentHash -eq $knownHash) {
    Write-Host "✓ VERIFIED: Hash matches" -ForegroundColor Green
} else {
    Write-Host "✗ MISMATCH: File integrity compromised!" -ForegroundColor Red
}

Linux/macOS - Command Line

Basic hashing:

# SHA-256 (Recommended)
sha256sum evidence.bin
# Output: a1b2c3d4e5f6... evidence.bin

# MD5
md5sum evidence.bin

# SHA-1
sha1sum evidence.bin

# SHA-512
sha512sum evidence.bin

# Multiple algorithms
echo "MD5:    $(md5sum evidence.bin | awk '{print $1}')"
echo "SHA1:   $(sha1sum evidence.bin | awk '{print $1}')"
echo "SHA256: $(sha256sum evidence.bin | awk '{print $1}')"

Batch processing:

# Hash all files in directory
find /evidence -type f -exec sha256sum {} \; > evidence_hashes.txt

# With formatted output (stat syntax differs: BSD/macOS uses -f, GNU/Linux uses -c)
find /evidence -type f -print0 | while IFS= read -r -d '' file; do
    echo "File: $file"
    echo "SHA256: $(sha256sum "$file" | awk '{print $1}')"
    echo "Size: $(stat -c%s "$file" 2>/dev/null || stat -f%z "$file") bytes"
    echo "Modified: $(stat -c%y "$file" 2>/dev/null || stat -f%Sm "$file")"
    echo "---"
done > evidence_manifest.txt

# Create checksums file for verification
sha256sum /evidence/* > SHA256SUMS

# Verify integrity later
sha256sum -c SHA256SUMS
# Output:
# evidence1.bin: OK
# evidence2.bin: OK
# evidence3.bin: FAILED

Advanced verification workflow:

#!/bin/bash
# evidence_hash.sh - Comprehensive evidence hashing script

EVIDENCE_DIR="/evidence"
OUTPUT_FILE="evidence_manifest_$(date +%Y%m%d_%H%M%S).txt"
ANALYST=$(whoami)

echo "Evidence Hash Manifest" > "$OUTPUT_FILE"
echo "Generated: $(date -u)" >> "$OUTPUT_FILE"
echo "Analyst: $ANALYST" >> "$OUTPUT_FILE"
echo "========================================" >> "$OUTPUT_FILE"
echo "" >> "$OUTPUT_FILE"

find "$EVIDENCE_DIR" -type f | while read -r file; do
    echo "File: $file" >> "$OUTPUT_FILE"
    echo "Size: $(stat -f%z "$file" 2>/dev/null || stat -c%s "$file") bytes" >> "$OUTPUT_FILE"
    echo "Modified: $(stat -f%Sm "$file" 2>/dev/null || stat -c%y "$file")" >> "$OUTPUT_FILE"
    echo "MD5:    $(md5sum "$file" | awk '{print $1}')" >> "$OUTPUT_FILE"
    echo "SHA256: $(sha256sum "$file" | awk '{print $1}')" >> "$OUTPUT_FILE"
    echo "---" >> "$OUTPUT_FILE"
done

# Sign the manifest
sha256sum "$OUTPUT_FILE"

macOS - Specific Commands

# macOS uses different stat syntax
md5 evidence.bin
shasum -a 256 evidence.bin
shasum -a 512 evidence.bin

# Or use coreutils versions (if installed via Homebrew)
brew install coreutils
gmd5sum evidence.bin
gsha256sum evidence.bin

---

2. Forensic Tools (Professional Methods)

FTK Imager

1. Open FTK Imager
2. File → Add Evidence Item → Select file/folder
3. Right-click evidence item → Verify Drive/Image
4. Tool automatically calculates MD5 and SHA1
5. Results displayed in Verify Results window
6. Export verification log: File → Export Verification Results

Command line (FTK Imager CLI):

# Windows
ftkimager.exe --verify "E:\evidence.dd"

# Generate hash report
ftkimager.exe --list-drives > drives.txt
ftkimager.exe "\\.\PhysicalDrive1" "E:\image.dd" --verify --sha256

md5deep / hashdeep

# Install (Linux)
sudo apt install md5deep

# Calculate SHA-256 recursively
hashdeep -r -c sha256 /evidence > evidence_hashes.txt

# Audit mode (verify against known hashes)
hashdeep -r -c sha256 -a -k evidence_hashes.txt /evidence

# Multiple algorithms
hashdeep -r -c md5,sha1,sha256 /evidence > multi_hash.txt

# Match known malware hashes
hashdeep -M /path/to/malware_hashes.txt -r /suspect_files

Autopsy / Sleuth Kit

# Calculate hash using Sleuth Kit
img_stat -h evidence.dd

# Or md5sum equivalent
md5sum evidence.dd

# For disk images, use specialized tools
ewfverify image.E01  # Verify EnCase/EWF images

---

3. Third-Party Tools

HashTab (Windows - GUI)

1. Download: https://hashtab.io/
2. Right-click any file → Properties
3. "File Hashes" tab appears
4. Select algorithms: MD5, SHA-1, SHA-256
5. Compare hash against known value
6. Copy hash to clipboard

HashMyFiles (Windows - Portable)

1. Download from NirSoft: https://www.nirsoft.net/utils/hash_my_files.html
2. Drag-and-drop files/folders
3. Select hash algorithms (MD5/SHA1/SHA256/CRC32)
4. File → Save Selected Items (Ctrl+S)
5. Export to CSV/TXT/HTML for documentation

GtkHash (Linux - GUI)

# Install
sudo apt install gtkhash

# Launch
gtkhash

# Or command line
gtkhash-cli -a md5,sha1,sha256 evidence.bin

RapidCRC Unicode (Windows)

1. Download: https://www.rapidcrc.net/
2. Drag files to RapidCRC window
3. Right-click → Create SFV/MD5 file
4. Saves .sfv or .md5 checksum file
5. Later: Drag .sfv file to verify integrity

---

4. Hash Algorithm Selection

Algorithm Comparison

Algorithm	Output Length	Standard	Security Status	Speed	Use Case
MD5	128-bit (32 hex)	RFC 1321 (1992)	❌ Broken — practical collisions (Wang et al. 2004)	Fast	Legacy compatibility / known-bad hash sets only
SHA-1	160-bit (40 hex)	RFC 3174 / FIPS 180-4	❌ Broken — SHAttered collision (2017); NIST formally retired Dec 2022, full withdrawal by Dec 2030 [verify 2026-04-26]	Fast	Legacy systems, NSRL/VirusTotal lookups
SHA-256	256-bit (64 hex)	NIST FIPS 180-4 / RFC 6234	✅ Secure (~2^128 collision resistance via birthday bound)	Medium	Recommended primary for forensics
SHA-512	512-bit (128 hex)	NIST FIPS 180-4 / RFC 6234	✅ Secure; faster than SHA-256 on 64-bit hardware	Medium-Fast	High-assurance / long-term archival
SHA-3 (SHA3-256/384/512)	256/384/512-bit	NIST FIPS 202 (2015)	✅ Secure (Keccak sponge — different construction from SHA-2)	Medium	Redundancy when paired with SHA-2; future-proofing
SHAKE128 / SHAKE256	Variable (XOF)	NIST FIPS 202	✅ Secure	Medium	Variable-length output (e.g., SLH-DSA signature internals)
BLAKE2 (b2sum)	256/512-bit	RFC 7693	✅ Secure; faster than SHA-256 in software	Fast	Performance-sensitive integrity (used in Argon2, WireGuard)
BLAKE3 (b3sum)	256-bit (extensible)	No NIST FIPS [inferred — not court-grade as primary]	✅ Secure; parallelizable, ~5–10× faster than SHA-256 on multi-core	Very Fast	Performance-critical integrity; pair with SHA-256, do not use as sole primary
CRC32	32-bit	ISO/IEC 13239 / Ethernet	❌ Not cryptographic	Very Fast	Error detection only — never for evidence

Current Best Practices

Primary standard:

SHA-256 — Recommended for all new evidence (NIST FIPS 180-4 baseline)

Why SHA-256:

• NIST approved (FIPS 180-4); also specified in RFC 6234.
• No known practical pre-image or collision attacks.
• Widely supported across forensic tools and OS-native utilities.
• Court admissible under Daubert/Frye [inferred — admissibility ultimately depends on jurisdiction and expert qualification, not algorithm choice alone].
• 256-bit output → birthday-bound collision resistance ≈ 2^128 operations (preimage ≈ 2^256). Adequate against foreseeable classical attacks.

When to use SHA-512:

• Long-term archival (slower hash deprecation cycle).
• 64-bit hosts where SHA-512 throughput exceeds SHA-256.
• Compliance regimes that mandate ≥384-bit hash output (e.g., CNSA 2.0 / CMMC / FedRAMP High [verify 2026-04-26 — exact CNSA 2.0 hash mandate]).

When SHA-3 (FIPS 202) is appropriate:

• Defensive redundancy against an unforeseen SHA-2 weakness — pair SHA-256 + SHA3-256 on critical evidence.
• Output-length flexibility via SHAKE128/256 (rare in forensics; common in PQ signature internals such as SLH-DSA).

When MD5 is acceptable:

• ⚠️ ONLY for deduplication in controlled environments.
• ⚠️ ONLY when comparing against legacy databases (NSRL legacy MD5 sets, VirusTotal MD5 search).
• ⚠️ NEVER as sole integrity verification in court.
• ⚠️ ALWAYS pair with SHA-256 when recorded.

SHA-1 status (2022 retirement):

• NIST announced SHA-1 retirement on 2022-12-15; full withdrawal target 2030-12-31 [verify 2026-04-26 — see NIST IR 8413 / FIPS 180-4 update notice].
• Acceptable only for backward-compatibility lookups (NSRL legacy, git commit IDs, VirusTotal). Pair with SHA-256.
• See SHAttered (2017) for the practical collision proof.

HMAC and Keyed Hashing

For tamper-evident logs where the verifier holds a secret key, use HMAC-SHA256 (NIST FIPS 198-1) rather than a bare hash:

# Linux/macOS
openssl dgst -sha256 -hmac "$SECRET_KEY" evidence.bin

# Windows (PowerShell)
$hmac = [System.Security.Cryptography.HMACSHA256]::new([Text.Encoding]::UTF8.GetBytes($env:SECRET_KEY))
[BitConverter]::ToString($hmac.ComputeHash([IO.File]::ReadAllBytes("evidence.bin"))).Replace("-","").ToLower()

HMAC is not a substitute for evidence hashing (chain-of-custody hashes must be reproducible by anyone holding the artefact); it is for log/manifest authenticity where unauthorized modification by an attacker who reads the log must be detectable. See NIST SP 800-107 Rev. 1 for guidance on approved hash applications.

Quantum-era considerations

• Grover's algorithm halves effective hash bit-strength against a quantum adversary: SHA-256 retains ≈ 2^128 preimage security, still adequate.
• No PQ migration urgency for hashing (unlike signatures: NIST FIPS 203 ML-KEM, FIPS 204 ML-DSA, FIPS 205 SLH-DSA, all finalized 2024-08). The hash function inside SLH-DSA is SHA-256 / SHAKE256 — confirms forensic continuity for evidence hashing into the PQ era.

Out-of-scope hashing families (this SOP is cryptographic-only)

• Fuzzy / similarity hashing (ssdeep / sdhash / TLSH / mrsh-v2) — used to group similar binaries, not to verify exact integrity. Belongs in [[sop-malware-analysis|Malware Analysis]] (sample clustering).
• Perceptual hashing (pHash / dHash / aHash / PhotoDNA) — used for image/video similarity (CSAM detection, deduplication). Belongs in [[../../Investigations/Techniques/sop-image-video-osint|Image & Video OSINT]]. PhotoDNA is operator-access only.
• Password KDFs (Argon2id, scrypt, bcrypt, PBKDF2) — out of scope for evidence integrity; see [[sop-cryptography-analysis|Cryptography Analysis]].

Collision Attack Examples

MD5 collision (2004):

# Two different files with identical MD5 hash
File1: "Hello World\n" + malicious_code
File2: "Hello World\n" + benign_code
MD5(File1) == MD5(File2)  # Same hash, different content!

SHA-1 collision (SHAttered, 2017):

# Two different PDF files with same SHA-1
https://shattered.io/
# Proof that SHA-1 is no longer secure

---

5. Evidence Collection Workflow

Step-by-Step Process

1. Immediate Acquisition (T+0 minutes)

# Windows - Calculate hash immediately after copying evidence
Copy-Item -Path "\\suspect-pc\C$\evidence.bin" -Destination "E:\CASE-001\evidence.bin"
$hash = Get-FileHash -Path "E:\CASE-001\evidence.bin" -Algorithm SHA256
$hash.Hash | Out-File "E:\CASE-001\evidence_SHA256.txt"
Write-Host "SHA256: $($hash.Hash)"

# Linux - Calculate hash during copy with tee
dd if=/dev/sdb of=/evidence/disk.dd bs=512 conv=noerror,sync | tee >(sha256sum > /evidence/disk_SHA256.txt)

# Or after copy
sha256sum /evidence/disk.dd | tee /evidence/disk_SHA256.txt

2. Chain of Custody Documentation (T+5 minutes)

# Evidence Log - CASE-2025-1005-001

## Acquisition
- **Date/Time:** 2025-10-05 14:30:00 UTC
- **Source:** Laptop (HOSTNAME: SUSPECT-PC)
- **Path:** C:\Users\suspect\Documents\evidence.bin
- **Acquired By:** Analyst Name
- **Method:** Physical copy via USB write-blocker

## Hash Values (Acquisition)
- **SHA-256:** a1b2c3d4e5f6789012345678901234567890123456789012345678901234567890
- **SHA-1:**   1234567890abcdef1234567890abcdef12345678
- **MD5:**     12345678901234567890123456789012
- **Algorithm:** SHA-256 (primary)
- **Tool:** Get-FileHash (PowerShell 5.1)

## Verification Log
| Date | Time (UTC) | Result | Hash Match | Analyst |
|------|------------|--------|------------|---------|
| 2025-10-05 | 14:30 | ✓ VERIFIED | SHA-256 match | analyst1 |
| 2025-10-06 | 09:00 | ✓ VERIFIED | SHA-256 match | analyst2 |
| 2025-10-07 | 11:15 | ✗ MISMATCH | SHA-256 FAIL | analyst1 |

## Notes
- 2025-10-07 mismatch: File was re-acquired from backup. New hash documented below.

3. Periodic Re-Verification (Daily/Before Analysis)

# Automated verification script
$evidencePath = "E:\CASE-001\evidence.bin"
$knownHashFile = "E:\CASE-001\evidence_SHA256.txt"
$knownHash = (Get-Content $knownHashFile).Trim()
$currentHash = (Get-FileHash -Path $evidencePath -Algorithm SHA256).Hash

$result = @{
    Timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss UTC"
    Analyst = $env:USERNAME
    FilePath = $evidencePath
    KnownHash = $knownHash
    CurrentHash = $currentHash
    Match = ($currentHash -eq $knownHash)
}

if ($result.Match) {
    Write-Host "✓ VERIFIED: Evidence integrity maintained" -ForegroundColor Green
    Add-Content -Path "E:\CASE-001\verification_log.txt" -Value "$($result.Timestamp) - VERIFIED by $($result.Analyst)"
} else {
    Write-Host "✗ CRITICAL: Evidence integrity compromised!" -ForegroundColor Red
    Write-Host "Expected: $knownHash"
    Write-Host "Got:      $currentHash"
    Add-Content -Path "E:\CASE-001\verification_log.txt" -Value "$($result.Timestamp) - MISMATCH detected by $($result.Analyst) - INVESTIGATION REQUIRED"
}

4. Transfer Verification

# Sender side (create manifest)
sha256sum evidence.bin > evidence_SHA256.txt
tar -czf evidence_package.tar.gz evidence.bin evidence_SHA256.txt

# Receiver side (verify after transfer)
tar -xzf evidence_package.tar.gz
sha256sum -c evidence_SHA256.txt
# Output: evidence.bin: OK

---

6. Advanced Use Cases

Malware Sample Deduplication

# Build malware sample database
find /malware_samples -type f -exec sha256sum {} \; | sort > malware_hashes.txt

# Check if new sample is already in database
NEW_HASH=$(sha256sum new_sample.exe | awk '{print $1}')
if grep -q "$NEW_HASH" malware_hashes.txt; then
    echo "Duplicate sample - already analyzed"
else
    echo "New sample - requires analysis"
    echo "$NEW_HASH new_sample.exe" >> malware_hashes.txt
fi

Disk Image Verification

# Create disk image with verification
dc3dd if=/dev/sdb of=evidence.dd hash=sha256 hash=md5 hashlog=evidence_hashes.txt

# Verify disk image later
dc3dd if=evidence.dd hash=sha256 hashlog=verification.txt
diff evidence_hashes.txt verification.txt

Network Transfer Integrity

# Sender: Calculate hash before upload
sha256sum evidence.bin > evidence.sha256
rsync -avz evidence.bin evidence.sha256 analyst@server:/evidence/

# Receiver: Verify after download
cd /evidence
sha256sum -c evidence.sha256

Large File Streaming Hash

# Hash file while reading (doesn't load entire file into memory)
sha256sum large_image.dd
# Works for files larger than available RAM

# Or with progress bar (requires pv)
pv large_image.dd | sha256sum

---

7. Troubleshooting & Common Issues

Hash Mismatch Scenarios

1. Line Ending Differences (Text Files)

# Windows (CRLF) vs Linux (LF) line endings cause different hashes
# On Windows:
certutil -hashfile document.txt SHA256
# Result: a1b2c3d4...

# Same file on Linux:
sha256sum document.txt
# Result: b2c3d4e5... (DIFFERENT!)

# Solution: Use binary comparison or normalize line endings
dos2unix document.txt  # Convert to Unix
unix2dos document.txt  # Convert to Windows

2. Filesystem Metadata vs Content

# Some tools hash metadata + content, others hash content only
# File hash will differ if metadata is included

# Content-only hash (most common)
sha256sum file.bin

# Metadata + content hash
# Use specialized tools like md5deep with -l flag

3. File Locking

# Windows: File in use by another process
Get-FileHash evidence.bin
# Error: The process cannot access the file because it is being used by another process

# Solution: Use handle.exe to find locking process
handle.exe evidence.bin
# Or reboot into forensic boot environment

4. Symbolic Links

# Hash follows symlink (hashes target file)
sha256sum /path/to/symlink  # Hashes target

# Hash the symlink itself
sha256sum -L /path/to/symlink  # Some versions support -L flag

# Best practice: Resolve symlinks first
readlink -f /path/to/symlink
sha256sum /actual/target/path

Performance Optimization

Parallel hashing (multiple files):

# GNU parallel (fastest for many files)
find /evidence -type f | parallel -j 8 sha256sum {} > all_hashes.txt

# Or xargs
find /evidence -type f | xargs -P 8 -I {} sha256sum {}

Large file optimization:

# Use buffered I/O for large files
dd if=large_image.dd bs=1M | sha256sum

# Or specialized tools
sha256deep -r /evidence  # Optimized for forensics

---

8. Chain of Custody Best Practices

Documentation Template

# Evidence Hash Verification Form

**Case Number:** CASE-2025-1005-001
**Evidence ID:** EV-001
**Description:** Laptop hard drive image

## Initial Hash (Acquisition)
- **Date/Time:** 2025-10-05 14:30:00 UTC
- **Calculated By:** John Doe (Analyst ID: A123)
- **Algorithm:** SHA-256
- **Hash Value:** a1b2c3d4e5f6789012345678901234567890123456789012345678901234567890
- **Tool:** FTK Imager 4.7.1.2
- **Signature:** [Digital signature or initials]

## Verification Record

### Verification 1
- **Date/Time:** 2025-10-06 09:00:00 UTC
- **Verified By:** Jane Smith (Analyst ID: A456)
- **Result:** ✓ MATCH
- **Signature:** [Digital signature or initials]

### Verification 2
- **Date/Time:** 2025-10-07 11:15:00 UTC
- **Verified By:** John Doe (Analyst ID: A123)
- **Result:** ✗ MISMATCH
- **Action Taken:** Evidence re-acquired from backup. New hash documented.
- **Incident Report:** INC-2025-1007-001
- **Signature:** [Digital signature or initials]

## Transfer Log
| Date | From | To | Method | Hash Verified | Signature |
|------|------|-----|--------|---------------|-----------|
| 2025-10-05 | Crime Scene | Lab | USB 3.0 | ✓ | JD |
| 2025-10-06 | Lab | Storage | Network | ✓ | JS |

Automated Logging Script

# evidence_tracker.ps1
param(
    [string]$EvidencePath,
    [string]$CaseNumber
)

$logPath = "E:\Cases\$CaseNumber\hash_verification_log.csv"

# Calculate current hash
$hash = Get-FileHash -Path $EvidencePath -Algorithm SHA256

# Log entry
$entry = [PSCustomObject]@{
    Timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss UTC"
    CaseNumber = $CaseNumber
    FilePath = $EvidencePath
    SHA256 = $hash.Hash
    Analyst = $env:USERNAME
    Computername = $env:COMPUTERNAME
}

# Append to log
$entry | Export-Csv -Path $logPath -Append -NoTypeInformation

Write-Host "Hash logged: $($hash.Hash)"

---

9. Integration with Forensic Tools

Autopsy / Sleuth Kit Integration

# Calculate hash during Autopsy ingest
# Autopsy automatically calculates MD5 for all files

# Query Autopsy database for file hashes
sqlite3 autopsy.db "SELECT name, md5 FROM tsk_files WHERE md5 IS NOT NULL;"

# Export hash list
sqlite3 -csv autopsy.db "SELECT md5, name FROM tsk_files;" > autopsy_hashes.csv

EnCase / FTK Integration

# EnCase automatically calculates MD5 and SHA-1 during evidence processing
# Access via Evidence > File Properties > Hash

# Export hash report:
# EnCase: View > Hash Analysis > Export
# FTK: File > Export > Hash List

Volatility (Memory Forensics)

# Hash memory dump
sha256sum memory.dmp > memory_SHA256.txt

# Volatility automatically verifies integrity if hash stored in profile
vol.py -f memory.dmp --profile=Win10x64 pslist

---

10. Tools Reference

Tool	Platform	Type	Use Case	Link
certutil	Windows	Built-in	Quick hashing	Built-in
Get-FileHash	Windows	Built-in	PowerShell automation	Built-in
sha256sum	Linux/Mac	Built-in	Command-line hashing	Built-in
md5deep/hashdeep	Cross-platform	CLI	Recursive hashing, audit	GitHub
HashTab	Windows	GUI	Right-click integration	hashtab.io
HashMyFiles	Windows	GUI	Batch processing	NirSoft
FTK Imager	Windows	GUI/CLI	Forensic imaging + hash	Exterro
GtkHash	Linux	GUI	GTK-based hashing	gtkhash
RapidCRC	Windows	GUI	SFV/MD5 checksum files	rapidcrc.net

---

Best Practice Summary:

• ✅ Use SHA-256 (NIST FIPS 180-4) as the primary hash for all new evidence.
• ✅ Calculate hash immediately upon acquisition; record before any other operation.
• ✅ Verify hash before and after every transfer or movement (hash-on-acquisition / hash-after-transport).
• ✅ Log all verifications in chain of custody with analyst, timestamp (UTC), and tool version.
• ✅ For critical evidence, pair algorithms with different constructions (SHA-256 + SHA3-256, or SHA-256 + BLAKE2/3) so a single-family weakness does not invalidate both.
• ✅ Sign manifests (GPG-detached or age) and consider RFC 3161 / OpenTimestamps anchoring for non-repudiation.
• ❌ Never rely on MD5 or SHA-1 alone for court evidence.
• ❌ Never use BLAKE3 as the sole forensic primary (no NIST FIPS standardization yet) [inferred].
• ❌ Never skip hash verification before analysis.

---

11. Reference Resources

Hash Algorithm Standards & Documentation

• NIST FIPS 180-4 — nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
  • Official SHA-1 / SHA-2 family specification (SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256).
• NIST FIPS 202 — nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
  • SHA-3 standard (Keccak): SHA3-224/256/384/512, SHAKE128, SHAKE256.
• NIST FIPS 198-1 — nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.198-1.pdf
  • HMAC (keyed-hash message authentication code).
• NIST SP 800-107 Rev. 1 — csrc.nist.gov/publications/detail/sp/800-107/rev-1/final
  • Recommendation for Applications Using Approved Hash Algorithms.
• NIST SHA-1 retirement notice — csrc.nist.gov/news/2022/nist-retires-sha-1-cryptographic-algorithm
  • 2022-12-15 announcement; full withdrawal target 2030-12-31 [verify 2026-04-26].
• NIST Hash Functions Portal — csrc.nist.gov/projects/hash-functions
  • Cryptographic hash function projects and research.
• RFC 1321 (MD5) — datatracker.ietf.org/doc/html/rfc1321
  • MD5 specification (1992, historical/broken).
• RFC 3174 (SHA-1) — datatracker.ietf.org/doc/html/rfc3174
  • US Secure Hash Algorithm 1 (2001).
• RFC 6234 (SHA-2 family + HMAC-SHA) — datatracker.ietf.org/doc/html/rfc6234
  • Reference implementation for SHA-224/256/384/512 and HMAC variants.
• RFC 7693 (BLAKE2) — datatracker.ietf.org/doc/html/rfc7693
  • BLAKE2b / BLAKE2s / BLAKE2x cryptographic hash and MAC.
• BLAKE3 specification — github.com/BLAKE3-team/BLAKE3-specs
  • Whitepaper (2020); no NIST FIPS standardization [verify 2026-04-26].
• RFC 3161 (Time-Stamp Protocol) — datatracker.ietf.org/doc/html/rfc3161
  • PKI timestamping for non-repudiable hash anchoring.
• OpenTimestamps — opentimestamps.org
  • Bitcoin-anchored timestamping for hash manifests.

Digital Forensics Standards

• NIST SP 800-86 - csrc.nist.gov/publications/detail/sp/800-86/final
  • Guide to Integrating Forensic Techniques into Incident Response
• ISO/IEC 27037:2012 - iso.org
  • Guidelines for identification, collection, acquisition, and preservation of digital evidence
• Scientific Working Group on Digital Evidence (SWGDE) - swgde.org
  • Best practices for digital evidence handling
• National Institute of Justice (NIJ) - nij.ojp.gov/topics/forensics/digital-evidence
  • Digital evidence best practices

Hash Collision Research

• SHAttered Attack - shattered.io
  • First practical SHA-1 collision (2017)
  • Demonstrates why SHA-1 should be deprecated
• MD5 Collision Vulnerabilities - eprint.iacr.org/2004/199
  • Wang et al. MD5 collision research (2004)
• HashClash Project - github.com/cr-marcstevens/hashclash
  • MD5 and SHA-1 collision tools (academic research)

Forensic Hashing Tools

• md5deep/hashdeep - github.com/jessek/hashdeep
  • Recursive hash computation and audit
  • Cross-platform, forensically sound
• HashMyFiles (NirSoft) - nirsoft.net/utils/hash_my_files.html
  • Portable Windows hash calculator
• GtkHash - github.com/tristanheaven/gtkhash
  • Linux GTK-based hash calculator

Forensic Imaging Tools (with Hash Verification)

• FTK Imager — exterro.com/ftk-imager
  • Free forensic imaging tool with automatic hash verification.
  • Supports MD5, SHA-1, SHA-256.
• dc3dd — sourceforge.net/projects/dc3dd
  • Enhanced dd with hashing on-the-fly. Historically maintained by DoD Cyber Crime Center; upstream activity has slowed [verify 2026-04-26]. Modern preference is ewfacquire for E01 / dcfldd legacy / dc3dd for raw with on-the-fly hash.
• Guymager — guymager.sourceforge.io
  • Linux forensic imager with MD5/SHA verification.
• ewfacquire (libewf) — github.com/libyal/libewf
  • Expert Witness Format (E01/Ex01) imaging with embedded SHA-256 hash verification.

Online Hash Lookup Services

• VirusTotal - virustotal.com
  • Malware hash lookup (MD5, SHA1, SHA256)
  • Submit samples or search by hash
• NSRL (National Software Reference Library) - nsrl.nist.gov
  • Reference hash database of known software
  • Filter out known-good files from forensic analysis
• MalwareBazaar - bazaar.abuse.ch
  • Malware sample hash database
  • Community-driven malware intelligence
• ThreatFox - threatfox.abuse.ch
  • IOC database including file hashes

Training & Certification

• SANS FOR500: Windows Forensic Analysis - Hash verification techniques
• SANS FOR508: Advanced Incident Response - Evidence integrity practices
• EnCase Certified Examiner (EnCE) - Includes hash verification methodologies
• CHFI (Computer Hacking Forensic Investigator) - EC-Council certification covering evidence handling

Community & Forums

• Forensic Focus Forums - forensicfocus.com
  • Digital forensics community
• Reddit r/computerforensics - reddit.com/r/computerforensics
  • Forensic practitioners community

Automation Scripts & Tools

• PowerForensics - github.com/Invoke-IR/PowerForensics
  • PowerShell framework for forensic analysis
  • Includes hash verification modules
• Forensic Toolkit Scripts - Various GitHub repositories
  • Automated evidence hashing workflows
• Ansible Forensic Playbooks - Automated evidence collection with hash verification

---

Legal & Ethical Considerations

Hash generation is a methodology, not an authorization. The SOP focuses on technical correctness; jurisdictional rules, evidence handling authority, and disclosure obligations are governed elsewhere in the vault.

Authorized environments only. See [[sop-legal-ethics|Legal & Ethics]] for canonical jurisdictional framing (CFAA, CMA, EU evidence directives, GDPR Art. 6/9), and [[sop-collection-log|Collection Log]] for the chain-of-custody rules into which hash records are integrated.

Hashing-specific guardrails:

• Hash a copy, not the original. When acquiring from a live system, hash the working image, not the suspect medium directly (avoid altering MAC times). Use a write-blocker for physical evidence.
• Record tool + version. A SHA-256 value is reproducible only if the algorithm and reader are unambiguous. Record sha256sum --version, Get-FileHash -Algorithm SHA256 (PowerShell version), or certutil -? build alongside the hash.
• Two-analyst attestation. Critical evidence should be hashed by the acquiring analyst and re-hashed by an independent verifier; both hashes go into the chain of custody.
• Disclosure. Hash manifests are part of the evidence package. See [[../../Investigations/Techniques/sop-reporting-packaging-disclosure|Reporting, Packaging & Disclosure]].

---

Related SOPs

Methodology & governance:

• [[sop-legal-ethics|Legal & Ethics]] — canonical jurisdictional framing
• [[sop-opsec-plan|OPSEC Plan]] — handler/host hygiene during evidence handling
• [[../../Investigations/Techniques/sop-collection-log|Collection Log]] — chain-of-custody record into which hash values are integrated
• [[../../Investigations/Techniques/sop-reporting-packaging-disclosure|Reporting, Packaging & Disclosure]] — hash manifests in deliverable packages

Analysis:

• [[sop-malware-analysis|Malware Analysis]] — hash-based sample identification and deduplication
• [[sop-cryptography-analysis|Cryptography Analysis]] — algorithm security analysis (length-extension, collision, hashcat modes)
• [[sop-reverse-engineering|Reverse Engineering]] — file integrity during binary analysis
• [[sop-forensics-investigation|Forensics Investigation]] — evidence acquisition (basename link; file lives in Security/Analysis/)

Pentesting & Security:

• [[../Pentesting/sop-detection-evasion-testing|Detection Evasion Testing]] — hash-based malware detection bypass techniques

---

Version: 1.1 Last Updated: 2026-04-26 Review Frequency: Annual (slow-rot anchor SOP — algorithm-standards horizon is multi-year)