Block-wise Hashing and Matching

WinHex & X-Ways

Block-wise Hashing and Matching

 

Part of volume snapshot refinement. Available with a forensic license.

 

Block-wise hashing may allow to identify complete or incomplete remnants of known notable files that are still floating around in free drive space even if they were fragmented and the location of the fragments is unknown, to show with some or very high certainty that these files once existed on that medium. The hash values are computed when reading from the evidence object sector-wise, and that happens at the same time when running a file header signature search if selected, to avoid unnecessary duplicated I/O, with the same sector scope. Matches are returned as a special kind of search hits. That means you need to invoke the search hit list to see them. Multiple matches for contiguous blocks are more meaningful than isolated individual matches, as they are even less likely the result of some coincidence, and they are usually combined in a single hit. The size of all such hits is shown when listing search hits. The larger the size, the higher the evidentiary value of the match. Please note that X-Ways Forensics does not verify itself that contiguous matching blocks are in the same order as in the original file(s), but that can be verified manually and for data that is as unique as compressed data that is most likely the case.

 

Most suitable for selected notable files larger than a few sectors, files that are ideally compressed or at least not only sparsely populated with non-zero data and do not contain otherwise trivial combinations of bytes values that occur frequently. Good examples are zip-styled Office documents, pictures and video files. Very trivial blocks within a file that consist of mostly just 1 byte value are ignored and not hashed (the same already when creating the hash set). For quicker matching, ideally work with a small hash database and do not select a hash type stronger than MD5. The length of block hash matches is shown in the Size column. This is useful so that you can sort them by the lengths and review more important (larger) matches first.

 

Hash sets of block hashes can be created or imported in the same way as ordinary hash sets, i.e. for selected files using the directory browser context menu, but they are handled by a separate hash database for block hashes (as opposed to file hashes). That separate database is internally stored in a subdirectory of the main hash database directory. You can create hash sets consisting of the block hashes of 1 file at a time, or combined hash sets of multiple selected files. The block size is currently always 512 bytes and might be user-definable in a future version.