- What MD5 is and what role it plays in computer forensics
- How MD5 is used in Passware Kit
- Improving performance: how to disable MD5 calculation
What MD5 and what role it plays in computer forensics
MD5 (Message-Digest Algorithm 5) is a hash function that produces a 128-bit hash digest. This function was developed by Professor Ronald Rivest of MIT in 1991.
In modern forensics, hash values are often used to validate the integrity of digital evidence. These values can verify that one data set (for example, a hard drive, file, document, email, or image) is identical to another.
When two data sets produce identical alphanumeric hash values, it confirms that the evidence remains unaltered and uncorrupted.
More information on how the MD5 is used in forensics can be found in the US Justice Department “Obtaining and Admitting Electronic Evidence” article:
https://www.justice.gov/sites/default/files/usao/legacy/2011/11/30/usab5906.pdf#page=68
How MD5 is used in Passware Kit
Passware Kit uses MD5 hash to validate digital evidence. Below are several examples of MD5 usage in Passware Kit:
Encryption Analyzer
Being a free tool, Encryption Analyzer scans computers and network drives to identify encrypted files and hard disk images, providing detailed information on encryption type, password recovery complexity, and MD5 hash. Calculating the MD5 value allows investigators to quickly identify duplicate files and record a file's hash.
The Encryption Analyzer is integrated into all editions of Passware Kit, enabling immediate decryption of the discovered items. The MD5 calculation can be enabled and disabled in the Scan Options menu.
The MD5 value is calculated for each of the detected encrypted files, and can be saved as a CSV file, along with the list of files.
Passware Kit results: encrypted/decrypted files
During the password recovery process, Passware Kit performs MD5 calculations for both the encrypted file or disk image and the corresponding decrypted items. The MD5 calculation is a separate operation, displayed on the Log Tab, and is exclusively available in Passware Kit Business, Forensic, and Ultimate editions only. The MD5 values are also saved as HTML or CSV reports.
Improving performance: how to disable MD5 calculation
Passware Kit features an option to deactivate MD5 hash calculation for encrypted and decrypted files. This setting is located in the Tools | Options | Files and Folders menu.
Disabling the MD5 calculation feature can significantly reduce processing times for disk images, archives, and large files.
Comments
0 comments
Article is closed for comments.