After you have collected the evidence using any of the means suggested so far in this chapter, you must provide a mechanism for checking, at any time, its validity. If the validity of evidence is not credible, all of the analysis and collection efforts could be considered wasted. Therefore, applying the industry-accepted MD5 checksum as the digital fingerprinting tool for the evidence, you can insure that the data collected several years ago is exactly the same as the version submitted in court.

The md5sum (and md5) tool is available with most open-source Unix operating systems. For Windows, the Cygwin suite of tools contains the md5sum executable. (Refer to Chapter 3 for information about Cygwin.)


The tool to calculate the MD5 checksum of a file in Linux is called md5sum and typically comes bundled with most Linux distributions. The options for md5sum are as follows:

forensic# md5sum --help
Usage: md5sum [OPTION] [FILE]...
      or:  md5sum [OPTION] --check [FILE]
Print or check MD5 (128-bit) checksums.
With no FILE, or when FILE is -, read standard input.

  -b, --binary            read files in binary mode (default on DOS/Windows)
  -c, --check              check MD5 sums against given list
  -t, --text               read files in text mode (default)

The following two options are useful only when verifying checksums:
      --status            don't output anything, status code shows success
      -w, --warn          warn about improperly formatted checksum lines

      --help              display this help and exit
      --version           output version information and exit

You invoke the tool by providing one parameter, which is the file to be calculated. For forensic purposes, all MD5 checksums will be calculated in binary mode. Therefore, you should use the -b switch at all times.

The following demonstrates calculating the MD5 checksum for several evidence files we duplicated:

forensic# ls
disk.1.bin disk.2.bin disk.3.bin disk.4.bin
forensic# md5sum -b * > md5sums.txt

After we have a listing of files from MD5 checksum, validating the files is an easy process. Validation can be achieved by specifying the -c switch and a file of MD5 checksums.

forensic# md5sum -c md5sums.txt
disk.1.bin: OK
disk.2.bin: OK
disk.3.bin: OK
disk.4.bin: OK

In the case when at least 1 bit of an evidence file is altered, a checksum mismatch is reported. We opened a binary editor and changed the first bit from a1 to a0 in the disk.4.bin file. If we compare the MD5 checksums with md5sum, we get the following results:

forensic# md5sum -c md5sums.txt
disk.1.bin: OK
disk.2.bin: OK
disk.3.bin: OK
disk.4.bin: FAILED
md5sum: WARNING: 1 of 4 computed checksums did NOT match

The md5sum tool can compute the MD5 checksum of complete hard drives in Unix operating systems. This is because Unix treats hard drives as special files, and md5sum does not notice a difference. Shortly, we will demonstrate how to compare a MD5 checksum of a source hard drive with the checksum from a forensic duplication evidence file.


It is important to mention that md5sum has been ported to the Windows operating system. Md5sum is part of the Cygwin development distribution you studied in Chapter 3. All the options and switches in the Windows version are exactly the same as those in the Linux version. The only difference in execution we have noticed is that the Windows version does not always imply the -b switch, and that is why we recommend you get into the habit of using it.

In FreeBSD, the MD5 checksum tool is called md5 and is part of the base operating system that operates similar to the Linux and Windows counterparts. The usage of md5 is as follows:

forensic# md5 <filename>

Notice that the md5 tool is much simpler than its Linux counterpart, and you do not need to specify the use of a binary mode.

Previous Section
Next Section

 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows