What hashing algorithms are commonly used to verify forensic image integrity, and what order should you apply them?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

What hashing algorithms are commonly used to verify forensic image integrity, and what order should you apply them?

Explanation:
When checking forensic image integrity, you rely on cryptographic hashes that uniquely reflect the data. SHA-256 is preferred as the main hash because it offers strong security and a long, collision-resistant digest, making it reliable for confirming that two copies are identical. You can use MD5 or SHA-1 as optional, quicker checks, but they should not be relied on as the sole proof of integrity due to known weaknesses. The recommended approach is to compute the hash on both the original source (the evidence or the trusted file you acquired) and the extracted or copied image, using SHA-256 as the primary hash. You may also compute MD5 or SHA-1 alongside for speed, but you must compare all computed digests between source and image. If the SHA-256 values (and any other hashes you computed) match, the image is a faithful copy of the source. If they differ, something altered the data during transfer or handling. Why the other options don’t fit: relying on MD5 alone is insecure; CRC32 is not cryptographically strong and can miss tampering. A setup that uses SHA-3 exclusively without any comparison is ineffective because you must compare against a known-good value to verify integrity.

When checking forensic image integrity, you rely on cryptographic hashes that uniquely reflect the data. SHA-256 is preferred as the main hash because it offers strong security and a long, collision-resistant digest, making it reliable for confirming that two copies are identical. You can use MD5 or SHA-1 as optional, quicker checks, but they should not be relied on as the sole proof of integrity due to known weaknesses.

The recommended approach is to compute the hash on both the original source (the evidence or the trusted file you acquired) and the extracted or copied image, using SHA-256 as the primary hash. You may also compute MD5 or SHA-1 alongside for speed, but you must compare all computed digests between source and image. If the SHA-256 values (and any other hashes you computed) match, the image is a faithful copy of the source. If they differ, something altered the data during transfer or handling.

Why the other options don’t fit: relying on MD5 alone is insecure; CRC32 is not cryptographically strong and can miss tampering. A setup that uses SHA-3 exclusively without any comparison is ineffective because you must compare against a known-good value to verify integrity.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy