Synced from an Obsidian vault

For graph and advanced features, download the full Intel Codex Vault and open it in Obsidian.

Hash Generation Methods for Evidence Integrity

Table of Contents

1. Command Line Tools (Primary Methods)
2. Forensic Tools (Professional Methods)
3. Third-Party Tools
4. Hash Algorithm Selection
5. Evidence Collection Workflow
6. Advanced Use Cases
7. Troubleshooting & Common Issues
8. Chain of Custody Best Practices
9. Integration with Forensic Tools
10. Tools Reference
11. Reference Resources

---

Overview

Purpose: Hash values provide cryptographic fingerprints of digital evidence, ensuring integrity, authenticity, and non-repudiation throughout the investigation lifecycle. Any modification to the file will result in a completely different hash value, making tampering immediately detectable.

Use Cases:

• Evidence acquisition and chain of custody verification
• Malware sample identification and deduplication
• File integrity monitoring in incident response
• Data transfer verification (network/physical media)
• Court admissibility of digital evidence (Daubert/Frye standards)

---

1. Command Line Tools (Primary Methods)

Windows - CertUtil

Basic hashing:

# SHA-256 (Recommended for forensics)
certutil -hashfile "evidence.bin" SHA256

# Output:
# SHA256 hash of evidence.bin:
# a1b2c3d4e5f6789012345678901234567890123456789012345678901234567890
# CertUtil: -hashfile command completed successfully.

# Multiple algorithms at once (batch script)
@echo off
echo Hashing: %1
certutil -hashfile "%1" MD5 | findstr /v "hash CertUtil"
certutil -hashfile "%1" SHA1 | findstr /v "hash CertUtil"
certutil -hashfile "%1" SHA256 | findstr /v "hash CertUtil"
certutil -hashfile "%1" SHA512 | findstr /v "hash CertUtil"

# Save to file with timestamp
certutil -hashfile "evidence.bin" SHA256 > "%DATE:/=-%_%TIME::=-%_evidence_hash.txt"

Batch processing multiple files:

# Hash all files in directory
for %f in (C:\Evidence\*) do @certutil -hashfile "%f" SHA256 | findstr /v "hash CertUtil" >> evidence_hashes.txt

# With filenames
for %f in (C:\Evidence\*) do @echo %f && certutil -hashfile "%f" SHA256 | findstr /v "hash CertUtil"

Windows - PowerShell

Single file hashing:

# SHA-256 with clean output
Get-FileHash -Path "evidence.bin" -Algorithm SHA256 | Format-List

# Output:
# Algorithm : SHA256
# Hash      : A1B2C3D4E5F6789012345678901234567890123456789012345678901234567890
# Path      : C:\Evidence\evidence.bin

# Just the hash value
(Get-FileHash -Path "evidence.bin" -Algorithm SHA256).Hash

# Multiple algorithms
@('MD5', 'SHA1', 'SHA256', 'SHA512') | ForEach-Object {
    $hash = Get-FileHash -Path "evidence.bin" -Algorithm $_
    Write-Output "$($_): $($hash.Hash)"
}

Batch processing and export:

# Hash all files in directory tree
Get-ChildItem -Path "C:\Evidence" -Recurse -File |
    Get-FileHash -Algorithm SHA256 |
    Select-Object Algorithm, Hash, Path |
    Export-Csv -Path "evidence_hashes.csv" -NoTypeInformation

# Generate verification report
Get-ChildItem -Path "C:\Evidence" -Recurse -File | ForEach-Object {
    $hash = Get-FileHash -Path $_.FullName -Algorithm SHA256
    [PSCustomObject]@{
        Timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
        Filename = $_.Name
        Path = $_.FullName
        Size = $_.Length
        Created = $_.CreationTime
        Modified = $_.LastWriteTime
        SHA256 = $hash.Hash
        Analyst = $env:USERNAME
    }
} | Export-Csv -Path "evidence_manifest.csv" -NoTypeInformation

# Compare hash against known value
$knownHash = "a1b2c3d4e5f6789012345678901234567890123456789012345678901234567890"
$currentHash = (Get-FileHash -Path "evidence.bin" -Algorithm SHA256).Hash
if ($currentHash -eq $knownHash) {
    Write-Host "✓ VERIFIED: Hash matches" -ForegroundColor Green
} else {
    Write-Host "✗ MISMATCH: File integrity compromised!" -ForegroundColor Red
}

Linux/macOS - Command Line

Basic hashing:

# SHA-256 (Recommended)
sha256sum evidence.bin
# Output: a1b2c3d4e5f6... evidence.bin

# MD5
md5sum evidence.bin

# SHA-1
sha1sum evidence.bin

# SHA-512
sha512sum evidence.bin

# Multiple algorithms
echo "MD5:    $(md5sum evidence.bin | awk '{print $1}')"
echo "SHA1:   $(sha1sum evidence.bin | awk '{print $1}')"
echo "SHA256: $(sha256sum evidence.bin | awk '{print $1}')"

Batch processing:

# Hash all files in directory
find /evidence -type f -exec sha256sum {} \; > evidence_hashes.txt

# With formatted output (stat syntax differs: BSD/macOS uses -f, GNU/Linux uses -c)
find /evidence -type f -print0 | while IFS= read -r -d '' file; do
    echo "File: $file"
    echo "SHA256: $(sha256sum "$file" | awk '{print $1}')"
    echo "Size: $(stat -c%s "$file" 2>/dev/null || stat -f%z "$file") bytes"
    echo "Modified: $(stat -c%y "$file" 2>/dev/null || stat -f%Sm "$file")"
    echo "---"
done > evidence_manifest.txt

# Create checksums file for verification
sha256sum /evidence/* > SHA256SUMS

# Verify integrity later
sha256sum -c SHA256SUMS
# Output:
# evidence1.bin: OK
# evidence2.bin: OK
# evidence3.bin: FAILED

Advanced verification workflow:

#!/bin/bash
# evidence_hash.sh - Comprehensive evidence hashing script

EVIDENCE_DIR="/evidence"
OUTPUT_FILE="evidence_manifest_$(date +%Y%m%d_%H%M%S).txt"
ANALYST=$(whoami)

echo "Evidence Hash Manifest" > "$OUTPUT_FILE"
echo "Generated: $(date -u)" >> "$OUTPUT_FILE"
echo "Analyst: $ANALYST" >> "$OUTPUT_FILE"
echo "========================================" >> "$OUTPUT_FILE"
echo "" >> "$OUTPUT_FILE"

find "$EVIDENCE_DIR" -type f | while read -r file; do
    echo "File: $file" >> "$OUTPUT_FILE"
    echo "Size: $(stat -f%z "$file" 2>/dev/null || stat -c%s "$file") bytes" >> "$OUTPUT_FILE"
    echo "Modified: $(stat -f%Sm "$file" 2>/dev/null || stat -c%y "$file")" >> "$OUTPUT_FILE"
    echo "MD5:    $(md5sum "$file" | awk '{print $1}')" >> "$OUTPUT_FILE"
    echo "SHA256: $(sha256sum "$file" | awk '{print $1}')" >> "$OUTPUT_FILE"
    echo "---" >> "$OUTPUT_FILE"
done

# Sign the manifest
sha256sum "$OUTPUT_FILE"

macOS - Specific Commands

# macOS uses different stat syntax
md5 evidence.bin
shasum -a 256 evidence.bin
shasum -a 512 evidence.bin

# Or use coreutils versions (if installed via Homebrew)
brew install coreutils
gmd5sum evidence.bin
gsha256sum evidence.bin

---

2. Forensic Tools (Professional Methods)

FTK Imager

1. Open FTK Imager
2. File → Add Evidence Item → Select file/folder
3. Right-click evidence item → Verify Drive/Image
4. Tool automatically calculates MD5 and SHA1
5. Results displayed in Verify Results window
6. Export verification log: File → Export Verification Results

Command line (FTK Imager CLI):

# Windows
ftkimager.exe --verify "E:\evidence.dd"

# Generate hash report
ftkimager.exe --list-drives > drives.txt
ftkimager.exe "\\.\PhysicalDrive1" "E:\image.dd" --verify --sha256

md5deep / hashdeep

# Install (Linux)
sudo apt install md5deep

# Calculate SHA-256 recursively
hashdeep -r -c sha256 /evidence > evidence_hashes.txt

# Audit mode (verify against known hashes)
hashdeep -r -c sha256 -a -k evidence_hashes.txt /evidence

# Multiple algorithms
hashdeep -r -c md5,sha1,sha256 /evidence > multi_hash.txt

# Match known malware hashes
hashdeep -M /path/to/malware_hashes.txt -r /suspect_files

Autopsy / Sleuth Kit

# Calculate hash using Sleuth Kit
img_stat -h evidence.dd

# Or md5sum equivalent
md5sum evidence.dd

# For disk images, use specialized tools
ewfverify image.E01  # Verify EnCase/EWF images

---

3. Third-Party Tools

HashTab (Windows - GUI)

1. Download: https://hashtab.io/
2. Right-click any file → Properties
3. "File Hashes" tab appears
4. Select algorithms: MD5, SHA-1, SHA-256
5. Compare hash against known value
6. Copy hash to clipboard

HashMyFiles (Windows - Portable)

1. Download from NirSoft: https://www.nirsoft.net/utils/hash_my_files.html
2. Drag-and-drop files/folders
3. Select hash algorithms (MD5/SHA1/SHA256/CRC32)
4. File → Save Selected Items (Ctrl+S)
5. Export to CSV/TXT/HTML for documentation

GtkHash (Linux - GUI)

# Install
sudo apt install gtkhash

# Launch
gtkhash

# Or command line
gtkhash-cli -a md5,sha1,sha256 evidence.bin

RapidCRC Unicode (Windows)

1. Download: https://www.rapidcrc.net/
2. Drag files to RapidCRC window
3. Right-click → Create SFV/MD5 file
4. Saves .sfv or .md5 checksum file
5. Later: Drag .sfv file to verify integrity

---

4. Hash Algorithm Selection

Algorithm Comparison

Algorithm	Output Length	Standard	Security Status	Speed	Use Case
MD5	128-bit (32 hex)	RFC 1321 (1992)	❌ Broken — practical collisions (Wang et al. 2004)	Fast	Legacy compatibility / known-bad hash sets only
SHA-1	160-bit (40 hex)	RFC 3174 / FIPS 180-4	❌ Broken — SHAttered collision (2017); NIST formally retired Dec 2022, full withdrawal by Dec 2030 [verify 2026-04-26]	Fast	Legacy systems, NSRL/VirusTotal lookups
SHA-256	256-bit (64 hex)	NIST FIPS 180-4 / RFC 6234	✅ Secure (~2^128 collision resistance via birthday bound)	Medium	Recommended primary for forensics
SHA-512	512-bit (128 hex)	NIST FIPS 180-4 / RFC 6234	✅ Secure; faster than SHA-256 on 64-bit hardware	Medium-Fast	High-assurance / long-term archival
SHA-3 (SHA3-256/384/512)	256/384/512-bit	NIST FIPS 202 (2015)	✅ Secure (Keccak sponge — different construction from SHA-2)	Medium	Redundancy when paired with SHA-2; future-proofing
SHAKE128 / SHAKE256	Variable (XOF)	NIST FIPS 202	✅ Secure	Medium	Variable-length output (e.g., SLH-DSA signature internals)
BLAKE2 (b2sum)	256/512-bit	RFC 7693	✅ Secure; faster than SHA-256 in software	Fast	Performance-sensitive integrity (used in Argon2, WireGuard)
BLAKE3 (b3sum)	256-bit (extensible)	No NIST FIPS [inferred — not court-grade as primary]	✅ Secure; parallelizable, ~5–10× faster than SHA-256 on multi-core	Very Fast	Performance-critical integrity; pair with SHA-256, do not use as sole primary
CRC32	32-bit	ISO/IEC 13239 / Ethernet	❌ Not cryptographic	Very Fast	Error detection only — never for evidence

Current Best Practices

Primary standard:

SHA-256 — Recommended for all new evidence (NIST FIPS 180-4 baseline)

Why SHA-256:

• NIST approved (FIPS 180-4); also specified in RFC 6234.
• No known practical pre-image or collision attacks.
• Widely supported across forensic tools and OS-native utilities.
• Court admissible under Daubert/Frye [inferred — admissibility ultimately depends on jurisdiction and expert qualification, not algorithm choice alone].
• 256-bit output → birthday-bound collision resistance ≈ 2^128 operations (preimage ≈ 2^256). Adequate against foreseeable classical attacks.

When to use SHA-512:

• Long-term archival (slower hash deprecation cycle).
• 64-bit hosts where SHA-512 throughput exceeds SHA-256.
• Compliance regimes that mandate ≥384-bit hash output (e.g., CNSA 2.0 / CMMC / FedRAMP High [verify 2026-04-26 — exact CNSA 2.0 hash mandate]).

When SHA-3 (FIPS 202) is appropriate:

• Defensive redundancy against an unforeseen SHA-2 weakness — pair SHA-256 + SHA3-256 on critical evidence.
• Output-length flexibility via SHAKE128/256 (rare in forensics; common in PQ signature internals such as SLH-DSA).

When MD5 is acceptable:

• ⚠️ ONLY for deduplication in controlled environments.
• ⚠️ ONLY when comparing against legacy databases (NSRL legacy MD5 sets, VirusTotal MD5 search).
• ⚠️ NEVER as sole integrity verification in court.
• ⚠️ ALWAYS pair with SHA-256 when recorded.

SHA-1 status (2022 retirement):

• NIST announced SHA-1 retirement on 2022-12-15; full withdrawal target 2030-12-31 [verify 2026-04-26 — see NIST IR 8413 / FIPS 180-4 update notice].
• Acceptable only for backward-compatibility lookups (NSRL legacy, git commit IDs, VirusTotal). Pair with SHA-256.
• See SHAttered (2017) for the practical collision proof.

HMAC and Keyed Hashing

For tamper-evident logs where the verifier holds a secret key, use HMAC-SHA256 (NIST FIPS 198-1) rather than a bare hash:

# Linux/macOS
openssl dgst -sha256 -hmac "$SECRET_KEY" evidence.bin

# Windows (PowerShell)
$hmac = [System.Security.Cryptography.HMACSHA256]::new([Text.Encoding]::UTF8.GetBytes($env:SECRET_KEY))
[BitConverter]::ToString($hmac.ComputeHash([IO.File]::ReadAllBytes("evidence.bin"))).Replace("-","").ToLower()

HMAC is not a substitute for evidence hashing (chain-of-custody hashes must be reproducible by anyone holding the artefact); it is for log/manifest authenticity where unauthorized modification by an attacker who reads the log must be detectable. See NIST SP 800-107 Rev. 1 for guidance on approved hash applications.

Quantum-era considerations

• Grover's algorithm halves effective hash bit-strength against a quantum adversary: SHA-256 retains ≈ 2^128 preimage security, still adequate.
• No PQ migration urgency for hashing (unlike signatures: NIST FIPS 203 ML-KEM, FIPS 204 ML-DSA, FIPS 205 SLH-DSA, all finalized 2024-08). The hash function inside SLH-DSA is SHA-256 / SHAKE256 — confirms forensic continuity for evidence hashing into the PQ era.

Out-of-scope hashing families (this SOP is cryptographic-only)

• Fuzzy / similarity hashing (ssdeep / sdhash / TLSH / mrsh-v2) — used to group similar binaries, not to verify exact integrity. Belongs in Malware Analysis (sample clustering).
• Perceptual hashing (pHash / dHash / aHash / PhotoDNA) — used for image/video similarity (CSAM detection, deduplication). Belongs in Image & Video OSINT. PhotoDNA is operator-access only.
• Password KDFs (Argon2id, scrypt, bcrypt, PBKDF2) — out of scope for evidence integrity; see Cryptography Analysis.

Collision Attack Examples

MD5 collision (2004):

# Two different files with identical MD5 hash
File1: "Hello World\n" + malicious_code
File2: "Hello World\n" + benign_code
MD5(File1) == MD5(File2)  # Same hash, different content!

SHA-1 collision (SHAttered, 2017):

# Two different PDF files with same SHA-1
https://shattered.io/
# Proof that SHA-1 is no longer secure

---

5. Evidence Collection Workflow

Step-by-Step Process

1. Immediate Acquisition (T+0 minutes)

# Windows - Calculate hash immediately after copying evidence
Copy-Item -Path "\\suspect-pc\C$\evidence.bin" -Destination "E:\CASE-001\evidence.bin"
$hash = Get-FileHash -Path "E:\CASE-001\evidence.bin" -Algorithm SHA256
$hash.Hash | Out-File "E:\CASE-001\evidence_SHA256.txt"
Write-Host "SHA256: $($hash.Hash)"

# Linux - Calculate hash during copy with tee
dd if=/dev/sdb of=/evidence/disk.dd bs=512 conv=noerror,sync | tee >(sha256sum > /evidence/disk_SHA256.txt)

# Or after copy
sha256sum /evidence/disk.dd | tee /evidence/disk_SHA256.txt

2. Chain of Custody Documentation (T+5 minutes)

# Evidence Log - CASE-2025-1005-001

## Acquisition
- **Date/Time:** 2025-10-05 14:30:00 UTC
- **Source:** Laptop (HOSTNAME: SUSPECT-PC)
- **Path:** C:\Users\suspect\Documents\evidence.bin
- **Acquired By:** Analyst Name
- **Method:** Physical copy via USB write-blocker

## Hash Values (Acquisition)
- **SHA-256:** a1b2c3d4e5f6789012345678901234567890123456789012345678901234567890
- **SHA-1:**   1234567890abcdef1234567890abcdef12345678
- **MD5:**     12345678901234567890123456789012
- **Algorithm:** SHA-256 (primary)
- **Tool:** Get-FileHash (PowerShell 5.1)

## Verification Log
| Date | Time (UTC) | Result | Hash Match | Analyst |
|------|------------|--------|------------|---------|
| 2025-10-05 | 14:30 | ✓ VERIFIED | SHA-256 match | analyst1 |
| 2025-10-06 | 09:00 | ✓ VERIFIED | SHA-256 match | analyst2 |
| 2025-10-07 | 11:15 | ✗ MISMATCH | SHA-256 FAIL | analyst1 |

## Notes
- 2025-10-07 mismatch: File was re-acquired from backup. New hash documented below.

3. Periodic Re-Verification (Daily/Before Analysis)

# Automated verification script
$evidencePath = "E:\CASE-001\evidence.bin"
$knownHashFile = "E:\CASE-001\evidence_SHA256.txt"
$knownHash = (Get-Content $knownHashFile).Trim()
$currentHash = (Get-FileHash -Path $evidencePath -Algorithm SHA256).Hash

$result = @{
    Timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss UTC"
    Analyst = $env:USERNAME
    FilePath = $evidencePath
    KnownHash = $knownHash
    CurrentHash = $currentHash
    Match = ($currentHash -eq $knownHash)
}

if ($result.Match) {
    Write-Host "✓ VERIFIED: Evidence integrity maintained" -ForegroundColor Green
    Add-Content -Path "E:\CASE-001\verification_log.txt" -Value "$($result.Timestamp) - VERIFIED by $($result.Analyst)"
} else {
    Write-Host "✗ CRITICAL: Evidence integrity compromised!" -ForegroundColor Red
    Write-Host "Expected: $knownHash"
    Write-Host "Got:      $currentHash"
    Add-Content -Path "E:\CASE-001\verification_log.txt" -Value "$($result.Timestamp) - MISMATCH detected by $($result.Analyst) - INVESTIGATION REQUIRED"
}

4. Transfer Verification

# Sender side (create manifest)
sha256sum evidence.bin > evidence_SHA256.txt
tar -czf evidence_package.tar.gz evidence.bin evidence_SHA256.txt

# Receiver side (verify after transfer)
tar -xzf evidence_package.tar.gz
sha256sum -c evidence_SHA256.txt
# Output: evidence.bin: OK

---

6. Advanced Use Cases

Malware Sample Deduplication

# Build malware sample database
find /malware_samples -type f -exec sha256sum {} \; | sort > malware_hashes.txt

# Check if new sample is already in database
NEW_HASH=$(sha256sum new_sample.exe | awk '{print $1}')
if grep -q "$NEW_HASH" malware_hashes.txt; then
    echo "Duplicate sample - already analyzed"
else
    echo "New sample - requires analysis"
    echo "$NEW_HASH new_sample.exe" >> malware_hashes.txt
fi

Disk Image Verification

# Create disk image with verification
dc3dd if=/dev/sdb of=evidence.dd hash=sha256 hash=md5 hashlog=evidence_hashes.txt

# Verify disk image later
dc3dd if=evidence.dd hash=sha256 hashlog=verification.txt
diff evidence_hashes.txt verification.txt

Network Transfer Integrity

# Sender: Calculate hash before upload
sha256sum evidence.bin > evidence.sha256
rsync -avz evidence.bin evidence.sha256 analyst@server:/evidence/

# Receiver: Verify after download
cd /evidence
sha256sum -c evidence.sha256

Large File Streaming Hash

# Hash file while reading (doesn't load entire file into memory)
sha256sum large_image.dd
# Works for files larger than available RAM

# Or with progress bar (requires pv)
pv large_image.dd | sha256sum

---

7. Troubleshooting & Common Issues

Hash Mismatch Scenarios

1. Line Ending Differences (Text Files)

# Windows (CRLF) vs Linux (LF) line endings cause different hashes
# On Windows:
certutil -hashfile document.txt SHA256
# Result: a1b2c3d4...

# Same file on Linux:
sha256sum document.txt
# Result: b2c3d4e5... (DIFFERENT!)

# Solution: Use binary comparison or normalize line endings
dos2unix document.txt  # Convert to Unix
unix2dos document.txt  # Convert to Windows

2. Filesystem Metadata vs Content

# Some tools hash metadata + content, others hash content only
# File hash will differ if metadata is included

# Content-only hash (most common)
sha256sum file.bin

# Metadata + content hash
# Use specialized tools like md5deep with -l flag

3. File Locking

# Windows: File in use by another process
Get-FileHash evidence.bin
# Error: The process cannot access the file because it is being used by another process

# Solution: Use handle.exe to find locking process
handle.exe evidence.bin
# Or reboot into forensic boot environment

4. Symbolic Links

# Hash follows symlink (hashes target file)
sha256sum /path/to/symlink  # Hashes target

# Hash the symlink itself
sha256sum -L /path/to/symlink  # Some versions support -L flag

# Best practice: Resolve symlinks first
readlink -f /path/to/symlink
sha256sum /actual/target/path

Performance Optimization

Parallel hashing (multiple files):

# GNU parallel (fastest for many files)
find /evidence -type f | parallel -j 8 sha256sum {} > all_hashes.txt

# Or xargs
find /evidence -type f | xargs -P 8 -I {} sha256sum {}

Large file optimization:

# Use buffered I/O for large files
dd if=large_image.dd bs=1M | sha256sum

# Or specialized tools
sha256deep -r /evidence  # Optimized for forensics

---

8. Chain of Custody Best Practices

Documentation Template

# Evidence Hash Verification Form

**Case Number:** CASE-2025-1005-001
**Evidence ID:** EV-001
**Description:** Laptop hard drive image

## Initial Hash (Acquisition)
- **Date/Time:** 2025-10-05 14:30:00 UTC
- **Calculated By:** John Doe (Analyst ID: A123)
- **Algorithm:** SHA-256
- **Hash Value:** a1b2c3d4e5f6789012345678901234567890123456789012345678901234567890
- **Tool:** FTK Imager 4.7.1.2
- **Signature:** [Digital signature or initials]

## Verification Record

### Verification 1
- **Date/Time:** 2025-10-06 09:00:00 UTC
- **Verified By:** Jane Smith (Analyst ID: A456)
- **Result:** ✓ MATCH
- **Signature:** [Digital signature or initials]

### Verification 2
- **Date/Time:** 2025-10-07 11:15:00 UTC
- **Verified By:** John Doe (Analyst ID: A123)
- **Result:** ✗ MISMATCH
- **Action Taken:** Evidence re-acquired from backup. New hash documented.
- **Incident Report:** INC-2025-1007-001
- **Signature:** [Digital signature or initials]

## Transfer Log
| Date | From | To | Method | Hash Verified | Signature |
|------|------|-----|--------|---------------|-----------|
| 2025-10-05 | Crime Scene | Lab | USB 3.0 | ✓ | JD |
| 2025-10-06 | Lab | Storage | Network | ✓ | JS |

Automated Logging Script

# evidence_tracker.ps1
param(
    [string]$EvidencePath,
    [string]$CaseNumber
)

$logPath = "E:\Cases\$CaseNumber\hash_verification_log.csv"

# Calculate current hash
$hash = Get-FileHash -Path $EvidencePath -Algorithm SHA256

# Log entry
$entry = [PSCustomObject]@{
    Timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss UTC"
    CaseNumber = $CaseNumber
    FilePath = $EvidencePath
    SHA256 = $hash.Hash
    Analyst = $env:USERNAME
    Computername = $env:COMPUTERNAME
}

# Append to log
$entry | Export-Csv -Path $logPath -Append -NoTypeInformation

Write-Host "Hash logged: $($hash.Hash)"

---

9. Integration with Forensic Tools

Autopsy / Sleuth Kit Integration

# Calculate hash during Autopsy ingest
# Autopsy automatically calculates MD5 for all files

# Query Autopsy database for file hashes
sqlite3 autopsy.db "SELECT name, md5 FROM tsk_files WHERE md5 IS NOT NULL;"

# Export hash list
sqlite3 -csv autopsy.db "SELECT md5, name FROM tsk_files;" > autopsy_hashes.csv

EnCase / FTK Integration

# EnCase automatically calculates MD5 and SHA-1 during evidence processing
# Access via Evidence > File Properties > Hash

# Export hash report:
# EnCase: View > Hash Analysis > Export
# FTK: File > Export > Hash List

Volatility (Memory Forensics)

# Hash memory dump
sha256sum memory.dmp > memory_SHA256.txt

# Volatility automatically verifies integrity if hash stored in profile
vol.py -f memory.dmp --profile=Win10x64 pslist

---

10. Tools Reference

Tool	Platform	Type	Use Case	Link
certutil	Windows	Built-in	Quick hashing	Built-in
Get-FileHash	Windows	Built-in	PowerShell automation	Built-in
sha256sum	Linux/Mac	Built-in	Command-line hashing	Built-in
md5deep/hashdeep	Cross-platform	CLI	Recursive hashing, audit	GitHub
HashTab	Windows	GUI	Right-click integration	hashtab.io
HashMyFiles	Windows	GUI	Batch processing	NirSoft
FTK Imager	Windows	GUI/CLI	Forensic imaging + hash	Exterro
GtkHash	Linux	GUI	GTK-based hashing	gtkhash
RapidCRC	Windows	GUI	SFV/MD5 checksum files	rapidcrc.net

---

Best Practice Summary:

• ✅ Use SHA-256 (NIST FIPS 180-4) as the primary hash for all new evidence.
• ✅ Calculate hash immediately upon acquisition; record before any other operation.
• ✅ Verify hash before and after every transfer or movement (hash-on-acquisition / hash-after-transport).
• ✅ Log all verifications in chain of custody with analyst, timestamp (UTC), and tool version.
• ✅ For critical evidence, pair algorithms with different constructions (SHA-256 + SHA3-256, or SHA-256 + BLAKE2/3) so a single-family weakness does not invalidate both.
• ✅ Sign manifests (GPG-detached or age) and consider RFC 3161 / OpenTimestamps anchoring for non-repudiation.
• ❌ Never rely on MD5 or SHA-1 alone for court evidence.
• ❌ Never use BLAKE3 as the sole forensic primary (no NIST FIPS standardization yet) [inferred].
• ❌ Never skip hash verification before analysis.

---

11. Reference Resources

Hash Algorithm Standards & Documentation

• NIST FIPS 180-4 — nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
  • Official SHA-1 / SHA-2 family specification (SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256).
• NIST FIPS 202 — nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
  • SHA-3 standard (Keccak): SHA3-224/256/384/512, SHAKE128, SHAKE256.
• NIST FIPS 198-1 — nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.198-1.pdf
  • HMAC (keyed-hash message authentication code).
• NIST SP 800-107 Rev. 1 — csrc.nist.gov/publications/detail/sp/800-107/rev-1/final
  • Recommendation for Applications Using Approved Hash Algorithms.
• NIST SHA-1 retirement notice — csrc.nist.gov/news/2022/nist-retires-sha-1-cryptographic-algorithm
  • 2022-12-15 announcement; full withdrawal target 2030-12-31 [verify 2026-04-26].
• NIST Hash Functions Portal — csrc.nist.gov/projects/hash-functions
  • Cryptographic hash function projects and research.
• RFC 1321 (MD5) — datatracker.ietf.org/doc/html/rfc1321
  • MD5 specification (1992, historical/broken).
• RFC 3174 (SHA-1) — datatracker.ietf.org/doc/html/rfc3174
  • US Secure Hash Algorithm 1 (2001).
• RFC 6234 (SHA-2 family + HMAC-SHA) — datatracker.ietf.org/doc/html/rfc6234
  • Reference implementation for SHA-224/256/384/512 and HMAC variants.
• RFC 7693 (BLAKE2) — datatracker.ietf.org/doc/html/rfc7693
  • BLAKE2b / BLAKE2s / BLAKE2x cryptographic hash and MAC.
• BLAKE3 specification — github.com/BLAKE3-team/BLAKE3-specs
  • Whitepaper (2020); no NIST FIPS standardization [verify 2026-04-26].
• RFC 3161 (Time-Stamp Protocol) — datatracker.ietf.org/doc/html/rfc3161
  • PKI timestamping for non-repudiable hash anchoring.
• OpenTimestamps — opentimestamps.org
  • Bitcoin-anchored timestamping for hash manifests.

Digital Forensics Standards

• NIST SP 800-86 - csrc.nist.gov/publications/detail/sp/800-86/final
  • Guide to Integrating Forensic Techniques into Incident Response
• ISO/IEC 27037:2012 - iso.org
  • Guidelines for identification, collection, acquisition, and preservation of digital evidence
• Scientific Working Group on Digital Evidence (SWGDE) - swgde.org
  • Best practices for digital evidence handling
• National Institute of Justice (NIJ) - nij.ojp.gov/topics/forensics/digital-evidence
  • Digital evidence best practices

Hash Collision Research

• SHAttered Attack - shattered.io
  • First practical SHA-1 collision (2017)
  • Demonstrates why SHA-1 should be deprecated
• MD5 Collision Vulnerabilities - eprint.iacr.org/2004/199
  • Wang et al. MD5 collision research (2004)
• HashClash Project - github.com/cr-marcstevens/hashclash
  • MD5 and SHA-1 collision tools (academic research)

Forensic Hashing Tools

• md5deep/hashdeep - github.com/jessek/hashdeep
  • Recursive hash computation and audit
  • Cross-platform, forensically sound
• HashMyFiles (NirSoft) - nirsoft.net/utils/hash_my_files.html
  • Portable Windows hash calculator
• GtkHash - github.com/tristanheaven/gtkhash
  • Linux GTK-based hash calculator

Forensic Imaging Tools (with Hash Verification)

• FTK Imager — exterro.com/ftk-imager
  • Free forensic imaging tool with automatic hash verification.
  • Supports MD5, SHA-1, SHA-256.
• dc3dd — sourceforge.net/projects/dc3dd
  • Enhanced dd with hashing on-the-fly. Historically maintained by DoD Cyber Crime Center; upstream activity has slowed [verify 2026-04-26]. Modern preference is ewfacquire for E01 / dcfldd legacy / dc3dd for raw with on-the-fly hash.
• Guymager — guymager.sourceforge.io
  • Linux forensic imager with MD5/SHA verification.
• ewfacquire (libewf) — github.com/libyal/libewf
  • Expert Witness Format (E01/Ex01) imaging with embedded SHA-256 hash verification.

Online Hash Lookup Services

• VirusTotal - virustotal.com
  • Malware hash lookup (MD5, SHA1, SHA256)
  • Submit samples or search by hash
• NSRL (National Software Reference Library) - nsrl.nist.gov
  • Reference hash database of known software
  • Filter out known-good files from forensic analysis
• MalwareBazaar - bazaar.abuse.ch
  • Malware sample hash database
  • Community-driven malware intelligence
• ThreatFox - threatfox.abuse.ch
  • IOC database including file hashes

Training & Certification

• SANS FOR500: Windows Forensic Analysis - Hash verification techniques
• SANS FOR508: Advanced Incident Response - Evidence integrity practices
• EnCase Certified Examiner (EnCE) - Includes hash verification methodologies
• CHFI (Computer Hacking Forensic Investigator) - EC-Council certification covering evidence handling

Community & Forums

• Forensic Focus Forums - forensicfocus.com
  • Digital forensics community
• Reddit r/computerforensics - reddit.com/r/computerforensics
  • Forensic practitioners community

Automation Scripts & Tools

• PowerForensics - github.com/Invoke-IR/PowerForensics
  • PowerShell framework for forensic analysis
  • Includes hash verification modules
• Forensic Toolkit Scripts - Various GitHub repositories
  • Automated evidence hashing workflows
• Ansible Forensic Playbooks - Automated evidence collection with hash verification

---

Legal & Ethical Considerations

Hash generation is a methodology, not an authorization. The SOP focuses on technical correctness; jurisdictional rules, evidence handling authority, and disclosure obligations are governed elsewhere in the vault.

Authorized environments only. See Legal & Ethics for canonical jurisdictional framing (CFAA, CMA, EU evidence directives, GDPR Art. 6/9), and Collection Log for the chain-of-custody rules into which hash records are integrated.

Hashing-specific guardrails:

• Hash a copy, not the original. When acquiring from a live system, hash the working image, not the suspect medium directly (avoid altering MAC times). Use a write-blocker for physical evidence.
• Record tool + version. A SHA-256 value is reproducible only if the algorithm and reader are unambiguous. Record sha256sum --version, Get-FileHash -Algorithm SHA256 (PowerShell version), or certutil -? build alongside the hash.
• Two-analyst attestation. Critical evidence should be hashed by the acquiring analyst and re-hashed by an independent verifier; both hashes go into the chain of custody.
• Disclosure. Hash manifests are part of the evidence package. See Reporting, Packaging & Disclosure.

---

Related SOPs

Methodology & governance:

• Legal & Ethics — canonical jurisdictional framing
• OPSEC Plan — handler/host hygiene during evidence handling
• Collection Log — chain-of-custody record into which hash values are integrated
• Reporting, Packaging & Disclosure — hash manifests in deliverable packages

Analysis:

• Malware Analysis — hash-based sample identification and deduplication
• Cryptography Analysis — algorithm security analysis (length-extension, collision, hashcat modes)
• Reverse Engineering — file integrity during binary analysis
• Forensics Investigation — evidence acquisition (basename link; file lives in Security/Analysis/)

Pentesting & Security:

• Detection Evasion Testing — hash-based malware detection bypass techniques

---

Version: 1.1 Last Updated: 2026-04-26 Review Frequency: Annual (slow-rot anchor SOP — algorithm-standards horizon is multi-year)