421
When creating forensic images, verifying an image’s integrity (i.e., whether or not it is an exact bit-for-bit copy of the original evidence) is very important. Typically, this verification is accomplished via a comparison of the hash value (e.g., MD5, SHA1, SHA2, etc.) of the original media with the hash value of the resulting forensic image. However, is hashing still a beneficial exercise when creating a “live” forensic image (e.g., creating a DD image of a running server)? When a forensic image is created from a live, running system, will the hash value of the image ever match a hash of the running system’s hard drive? Why or why not? If not, how could you explain this in court? Discuss these questions thoroughly in your Conference response, and respond to at least one other student’s original post in a way that adds to the discussion.
