Why are cryptographic hashes important for preserving evidence, and which algorithms are used?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

Why are cryptographic hashes important for preserving evidence, and which algorithms are used?

Explanation:
Cryptographic hashes serve as fingerprints for digital evidence. They let you detect any change to data by producing a fixed-length fingerprint that uniquely represents the exact bytes at a given moment. In practice, you calculate a hash when you first collect the evidence, then re-calculate and compare hashes after imaging, transferring, or storing the data. If the hashes match, you have strong assurance that the copy or the preserved evidence is identical to the original, which is essential for maintaining the chain of custody and the integrity of analysis. SHA-256 is the recommended primary algorithm because it offers strong collision and preimage resistance and is widely supported across tools and platforms. MD5 and SHA-1 have known vulnerabilities and are considered weak for security-sensitive work, so they should not be relied upon as the main integrity check. They may be kept only as legacy references to compare against older evidence sets, not as the sole verification method. Using hashes this way clarifies exactly what was collected and when, supports reproducible verification by different investigators, and helps ensure that evidence remains untampered through all stages of handling.

Cryptographic hashes serve as fingerprints for digital evidence. They let you detect any change to data by producing a fixed-length fingerprint that uniquely represents the exact bytes at a given moment. In practice, you calculate a hash when you first collect the evidence, then re-calculate and compare hashes after imaging, transferring, or storing the data. If the hashes match, you have strong assurance that the copy or the preserved evidence is identical to the original, which is essential for maintaining the chain of custody and the integrity of analysis.

SHA-256 is the recommended primary algorithm because it offers strong collision and preimage resistance and is widely supported across tools and platforms. MD5 and SHA-1 have known vulnerabilities and are considered weak for security-sensitive work, so they should not be relied upon as the main integrity check. They may be kept only as legacy references to compare against older evidence sets, not as the sole verification method.

Using hashes this way clarifies exactly what was collected and when, supports reproducible verification by different investigators, and helps ensure that evidence remains untampered through all stages of handling.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy