A message digest is a fixed length output produced by applying a cryptographic algorithm on input binary data of arbitrary length. If the input data changes even by one bit, the generated message digest will be completely different from the original. This is used in digital investigations to verify that stored digital evidence has not been tampered with. This technique has been applied successfully on physical disk images because there is only one continuous stream of data. However, this is not applicable to logical disk images where there is no obvious or standard method of concatenating the data to produce an output message digest. This paper describes the difficulties that complicate the computation of a message digest for logical data. In addition, a candidate process for calculating a verification value for computer forensic evidence for logical data, regardless of its underlying representation is given. This method is presented in the context of cellphone forensics. KEY WORDS Co...
Pontjho Mokhonoana, Martin S. Olivier