# 2.3 Evimetry Acquisition Modes Part 2: Block Hash vs. Linear Hash

Video Activity
Join over 3 million cybersecurity professionals advancing their career
or

Time
36 minutes
Difficulty
Beginner
CEU/CPE
1
Video Transcription
00:01
All right, this is introduction. Ever met Tree the controller
00:06
and a promise for you. We would talk about hashing because, hey, who doesn't want to talk about hashing?
00:11
All right, So if you if you watch my previous course on introduction to ever met Tree, we were actually the f F four format. We talked about how ah f f four uses block cashing versus linear hashing. So elementary uses this block hashing, uh,
00:30
method for
00:32
collecting the well, not Clementine, but but hashing the data while the data's being collected. And then it hashes each and every block being collected and then creates a block map hash of everything. So sort of a master hash of all the hashes, if you will.
00:49
The beauty of that, if you looked at the advanced f f or a PDF paper that pointed out earlier is it is significantly speeds up the hashing process. So linear, linear hashing, on the other hand, makes a hash of the acquired image and presents a hash value at the end.
01:07
The downs part about that is that its CPU bound. So it's taking this huge forensic image as trying to make one hash of it, Um, and it just takes more time. And it's based on, you know, the CPU power of the computer. You're on a moment
01:22
That's the traditional method of doing things blah, cashing like I said, Snively faster. Um, good news is elementary allows you to create a traditional linear hash for compatibility with other organizations. So if you like to collect that linear hash, which we d'oh, I'm straightly.
01:38
Absolutely. We do it at Atlanta native friends this we we definitely collect our block map hash. And then we, of course, go ahead and and make a linear hash of the of the forensic image so that we have both maximum compatibility when we're sending data around between ourselves. Different organizations may be law enforcement
01:57
things like this.
01:59
Everybody can can review that data and know that it's the same cause. I can't count on the fact that somebody at the other end is actually using. Every Metreon can calculate my block cash.
02:09
All right, we have about a minute 20 remaining, and I have no content for that period of time.
02:19
Something to drink. My coffee.
02:21
All right, in our forensic acquisition here is just winding down. We're in the last few remaining seconds.
02:28
Um, and then because we selected that option to automatically hash Thea
02:34
the image afterwards, it's gonna go ahead and do a verification hash for us and Projects is just finishing up.
02:42
Verification, hash and boom. We get our acquisition hash. We get our map hash here, which is a shot 5 12 So a hash of all the hashes saw 5 12 being very large and unwieldy.
02:55
One of the recent features that they've added to ever met tree, which is kind of interesting is this Q R code. The Q R code, if you scan it with a cure scanner, will dump all the information you see here on the screen, which is cool for, like, rapid logging of that information that you're done. Things like that.
03:15
Um, So there's all our basic information how much we acquired, how long it took average rate of acquisitions Weaver acquisition rate here about 23 May, but very fast hashing tthe e end and, of course, where the file went to and what it's calling all that sort of stuff. So all the basic things that we would expect to have there
03:36
all right, listen before we could do some other things with that forensic image at this point so I could
03:43
calculate a linear hash of this. So if I wanted to
03:46
select my drive here, it's like my forensic guy
03:51
image. Um, I can go ahead and select that I could open up if you know some selecting this from my D drive here, which was, of course, are blessed. Drive over here in our repositories drive. You'll lose it now has a dot ever met tree? That's that That blessing. So it actually, uh,
04:06
places a little signature file there in that folder so that it knows it can write to it, But we'll take my drive here. I can go ahead and say, You know what type of algorithms would like to have it hashed with? We'll just use the to default
04:21
and very quickly it will go ahead and calculate up for me both an MD five hash and a Shaw one hash. So I have those linear hatches, like I said, not not necessary because I need them. I always use my block map ash, but
04:38
maintaining maximum compatibility with other organizations. I now have both of those ashes.
04:42
And quite honestly, these were much smaller, right? That's that's much easier to put into my Evans documentation. Maybe then a great big cash again, the Q R codes. They're kind of cool. New feature. If you're not using barcode scanners as part of your evidence collection process, you definitely need Thio. It just saves lives.
05:00
All right, Other options I have here, I could convert this image, so I haven't f f four image. Suppose I wanted to
05:10
send this out to somebody, but I'm not really sure if they have the capability to use, um, an f F four image so I can send them a a
05:24
different format of this image. So me
05:30
oops.
05:35
Second
05:39
image here,
05:41
and then I can actually select the output I want to. So I could write this out to a raw D D file. Or more commonly, I would I would say this is an easier one file. Um,
05:54
and it would go ahead and ah,
05:57
go ahead, apply that. I can choose to say that is easier, and in case six or seven type image, I can choose to split it up. If I have a large image into multiple. Ah, snaps, um, all that sort of stuff
06:12
and just hit it and it will go ahead and begin the process of writing out to my evidence. Dr A.
06:17
A expert witness format copy of that very same image we made three amount of time it takes is goingto very based on the imagery of very small image here of eight gigabytes. So it's not gonna take all that long,
06:31
But now I have a a converted, easier one formatted version of my same image there,
06:39
which is great. And of course, I can go ahead and verify that and so on. So it didn't take very long at all. 24 seconds to go ahead and convert my f F four over to that.
06:49
Um, Now, if you're wondering like, Well, how do I use an Alfa for image? I'm not sure if my tools supported a F F for image. We're gonna get into that the next course we start talking about, uh, well in subsequent courses and we start talking about using the, uh,
07:05
the bridge apple it that's provided along with the ever met tree, so that I could basically present my F f four images
07:12
toe all my tools as just a simple D D image which really speeds things up on, allows you to use a variety of tools that might not necessarily
07:21
B f f four aware at this point.
07:25
All right, so, um, one last piece we want to talk about here is
07:31
the actual
07:33
F four file. Now, if you watch my previous, uh,
07:39
course on the if it for file format, you know that an Alfa four file is basically a zip 64 container so I can open this up
07:50
with
07:51
some cool tools like winrow are here,
07:55
um, and see the contents of my container. I get my volume. I d. Here. Um,
08:03
and I can also get
08:05
information about the tool there. But most importantly, what's in here have container description information, which is again that volume idea information. They're the good. Um,
08:16
this information turtle file is a nice XML formatted file here which contains all the information about my collection start, stop time, all that sort of stuff. All the deep, dark details of if it four container, my block caches
08:33
the size of of the drive, all that sort of stuff.
08:37
But I also have information about my media in here. So everything basically that I put in was was collected and stored in here. So there's the information I put in the SanDisk cruiser eight gig, case, name, tag, name, all that sort of stuff in there. The F F four target that was being used,
08:56
um, we get down into
08:58
version of the tool being used. What system? I was collecting from Windows 10 system, the controller version, all that sort of good stuff. Dates and times are collected there,
09:11
type of linear acquisition that we did, which is a full linear in this case, all that information. And then, of course, information on the, uh, the item that was acquired. So we've got you know, the sand is cruiser. We've got the serial number for it here.
09:26
Ah, all that other information is stored right here in this very handy, very easily use file. So it's It's a great source of background data for what you're doing all the time. As you're using every metric.
09:43
All right, well, just close that out. I said it's all contained in the container file. So beautiful. Easy to use
Up Next