By Kevin J. Ripa
PI, GSEC, GCFE, GCFA, EnCE, BAI, CDRP, CEH
Mar 10, 2016
When creating forensic images in Target Disk Mode, you are using the .dd program. Unfortunately, the .dd program does not have a built in hash functionality, and we all know (or should know) how import hashing is to a forensic image. Immediately following the creation of the forensic image, you should hash it.
Although it is true that you can add the hash function to the command line as you are typing out the imaging instruction, I have never imaged anything at the command line with .dd and the hash function, where the hash matched after it was done. If anyone can explain why, please contact me through my website and let me know.
Below are different commands to hash your .dd file (or any other file, for that matter), once the acquisition is complete.
You first need to navigate to the directory where the file resides, or you will have to type it into your instruction. Since this is not a command line tutorial, it is assumed you already know how to do this. If not, Google it.
If you want an MD5 hash type the following:
md5 <yourfilename>
This will hash the file and when done, the hash will appear here. If you want to push the hash out to a file, type this:
md5 <yourfilename> > <yourfilename>.txt
Let’s do it with SHA1
shasum <yourfilename>
If you want to push the hash out to a file, type this:
shasum <yourfilename> > <yourfilename>.txt
How about with SHA256?
shasum –a 256 <yourfilename>
If you want to push the hash out to a file, type this:
shasum –a 256 <yourfilename> > <yourfilename>.txt
