In an effort to provide proof that the evidence was not tampered with, a hash of the evidence should be provided before and during, or after, an acquisition.

In Kali Linux, we can use the md5sum command followed by the path of the device, to create an MD5 hash of the evidence/input file. For example, md5sum /dev/sdx.

You may also try the command with superuser privileges by typing sudo md5sum /dev/sdx.

For this example, the 2 GB flash drive that I'll be using (named test_usb) is recognized as sdb, and so the command I will be using, is shown in the following screenshot:

In the previous example, the output of the md5sum of the 2 GB flash drive is displayed as 9f038....1c7d3  /dev/sdb. When performing the acquisition or forensic imaging of the drive using DC3DD, we should also have that exact result when hashing the created image file output to ensure that both the original evidence and the copy are exactly the same, thereby maintaining the integrity of the evidence.

I've also created an SHA-1 hash (which will be used for comparative purposes) using the following syntax: