Authors: Joe Sylve (BlackBag)



From the beginning of the discipline, the use of cryptographic hashing in various ways has been essential to guaranteeing data integrity and identifying evidence in Digital Forensics. While there have been numerous alternative methods of using cryptographic hashes developed throughout the years, the most pervasive means of hashing digital evidence is still the linear hash, where each and every bit of data is read and hashed in logical order. In fact, the term “hashing” in practice has nearly become synonymous with the linear hash. In this presentation I will review a number of alternative hashing methodologies and argue that in light of differences in modern evidence sources and data acquisition methods, that the linear hash may no longer always be the most appropriate choice. In addition, I will propose a set of standard identifiers that tools can use to distinguish which hashing methodologies have been used as well as a number of extensions to the AFF4 information model that, if adopted, will allow specifying alternative means of hashing in order to promote better interoperability and data integrity validation among tools.