Hashing has been and will always be one of the important elements in the field of computer forensics. We often see forensic investigators create a hash output of the disk images or even files, the most common hashing algorithm being MD5. It is done to ensure that the integrity of the evidence remains intact, starting from the scene of crime, till it is presented in the court of law to prove a fact.
The essence of hashing is, that when two things are exactly the same, only then the HASH value matches, otherwise it never matches, even if there is a minor modification of any element in the file. But that does not mean that the files do not contain similar content. This is where fuzzy hashing pitches in.Fuzzy hashing can be used in cases, when we are looking for files/disk images that are similar but not exactly the same. For this, we can use a tool called “ssdeep”, a program for computing context triggered piecewise hashes (CTPH), a.k.a fuzzy hashes. It returns the similarity in terms of percentage. Let’s dig into it:
1. For this demonstration, I have made minor modifications in a picture named “chfi.jpeg”, using a Hex Editor
Original Hex of “chfi.jpeg”
Modified Hex of “chfi.jpeg”
4. Now, let’s use “ssdeep” to find the similarity in the files. For that, you first need to install it on your system using the following command
6. Finally, let’s compare the two images, using “-m” parameter of the “ssdeep” command:
7. Now you may try this by creating & using image of the disk/thumb drive, using a “dd” command.