Compute Hash
Part of volume snapshot refinement.
Hash values can be computed for files in the volume snapshot. They are not recomputed if you apply this operation again to the same files. In addition to the mere hash computation, a forensic license allows to match the hash values against individually selected (or simply all) hash sets in an internal hash database. The filter can then later be used to hide known irrelevant files. Files recognized as irrelevant with the help of the hash database can be optionally excluded from further volume snapshot refinement operations, which among other benefits saves time. The hash values will not be updated in the volume snapshot once computed. However, the matching process (looking up the hash values of files in the volume snapshot) can be repeated for the same files at any time. This will remove previous hash set matches from these files. The hash category field will be updated only, but not emptied.
It is possible to compute hash values of two different hash types at the same time when refining the volume snapshot, for general purposes or to match them against two hash databases with different hash types. If matching is selected, all hash values will be matched against any of the two hash databases whose hash type fits. That means even if the primary hash type in the volume snapshot is MD5 and the secondary is SHA-1, and hash database #1 is based on SHA-1 and #2 based on MD5, X-Ways Forensics will match the hash values accordingly. The hash types in the volume snapshot and in the hash databases do not have to be in the same order.
A forensic license allows to verify hash values that were computed at an earlier point of time, or imported from an evidence file container. The result will be output to the Messages window. Any file whose current hash value does not match the originally recorded one will be associated with a special report table for convenient review. Running the hashing volume snapshot refinement step a second time never updates the hash values that were already computed for files in the volume snapshot.
Child objects of files inherit the hash category "irrelevant" from their parents. That is possible because if an entire file is irrelevant, everything that can be extracted from that file must also be irrelevant. However, what is extracted from a "notable" file is not necessarily also notable, because perhaps only some parts or aspects of the parent file are notable. Of course, child objects of irrelevant parents will only be output if the user chooses to not omit irrelevant files from further processing in the first place.