Hashing Non EWF Images In Autopsy

markmckinnon
2 min readAug 28, 2018

As I was going thru the list of Autopsy requests I found one that talked about hashing Disk Images. Now there is an ingest module to validate EWF files but not one to do RAW (Single or Split), VMDK or VHD files. Well the wait is over let me introduce you to the Hash images plugin.

Hash Images plugin User Interface.

The hash image plugin takes one (1) of three (3) possible arguments. You can either provide the MD5 or SHA1 hash value for the image or you can use the FTK Imager log file if the image was created with FTK Imager. To use either the MD5 or SHA1 hash you just have to type them in or copy and paste them. You only need one to compare, if you use both them it will default to MD5. If you decide to pick the FTK Imager log then you can either type the file path and name in or search for it. It will then parse the log file and pull out the hashes to compare with.

Once you have chosen which method you would like to use to validate just click finish and let the plugin do its thing. Once it has completed running a message will be added to the ingest messages on whether the image was verified/validated or not. Below is an example message from using the FTK Imager log.

Has Images Verified Message

If the image did not validate/verify then it will tell you it did not. Not much to this plugin as it is pretty simple and straight forward. You can find the module here. As always questions and comments welcome. Enjoy!

--

--