In digital forensics, maintaining the integrity of digital exhibits is an essential aspect of the entire investigation and examination process, which is established using the technique of hashing. Lack of knowledge, while handling digital exhibits, might lead to unintentional alteration of computed hash, rendering the exhibit unacceptable in the court of Law. The hash value of a physical drive does not solely depend upon the data files present in it but also its file-system. Therefore, any change to the file-system might result in the change of the disk hash, even when the data files within it remain untouched. In this paper, our objective is to study the role of file-system in modification of the hash value. We examine and analyse the changes in the file-system of a NTFS formatted USB storage device, which leads to modification in its hash value when the device is plugged-in to the computer system without using write-blocker. The outcome of this research would justify the importance of write blockers while handling digital exhibits and also substantiate that the alteration in hash value of a storage device might not be an indication that data within the device has been tampered with.

Note on the Author(s)

Kumarshankar Raychaudhuri, LNJN National Institute of Criminology and Forensic Science, Ministry of Home Affairs, Govt. of India, New Delhi, India.

M. George Christopher, State Forensic Science Laboratory, India