The Association of Digital Forensics, Security and Law (ADFSL)


The Message Digest 5 (MD5) hash is commonly used as for integrity verification in the forensic imaging process. The ability to force MD5 hash collisions has been a reality for more than a decade, although there is a general consensus that hash collisions are of minimal impact to the practice of computer forensics. This paper describes an experiment to determine the results of imaging two disks that are identical except for one file, the two versions of which have different content but otherwise occupy the same byte positions on the disk, are the same size, and have the same hash value.


AccessData. (2006, April). MD5 Collisions: The Effect on Computer Forensics. AccessData White Paper. Retrieved from https:/ /adpdf. s3.amazonaws.com/papers/wp.MD5 Collisions.en us. pdf

Burr, W. (2006, March/ April). Cryptographic hash standards: Where do we go from here? IEEE Security & Privacy, 4(2), 88-91. Retrieved from http:/ /www.csee. wvu.edu/% 7Ekaterina/ Teaching/ CS-465-Spring- 2007 /HashStandards.pdf

Casey, E. (2011). Digital Evidence and Computer Crime, 3rd ed. Amsterdam: Elsevier.

Cohen, F. (2013). Digital Forensic Evidence Examination, 5th ed. Livermore (CA): Fred Cohen & Associates. Retrieved from http:/ /all.net/books/2013-DFEExamination. pdf

Eastlake, D., 3rd, & Jones, P. (2001, September). US Secure Hash Algorithm 1 (SHA1). Requests for Comments (RFC) 3174. Retrieved from https:/ jwww.rfceditor. org/ rfc / rfc317 4. txt

Gutman, P., Naccache, D., & Palmer, C.C. (2005, May/June). When hashes collide. IEEE Security & Privacy, 3(3), 68-71. Retrieved from https:/ /researchspace.auckland.ac.nz/bits tream/handle /2292/269/269.pdf

Lewis, D.L. (2008, December 1). The Hash Algorithm Dilemma -- Hash Value Collisions. Forensic Magazine. Retrieved from http:/ /www.forensicmag.com/article/200 8/12/hash-algorithmdilemma% E2%80%93hash-value-collisions

Maras, M. H. (2015). Computer Forensics: Cybercriminals, Laws, and Evidence, 2nd ed. Burlington, MA: Jones & Bartlett Learning.

McHugh, N. (2014, October 31). How I created two images with the same MD5 hash. Retrieved from http:/ /natmchugh.blogspot.com/2014/10 /how-i-created-two-images-with-samemd5. html

Nelson, B., Phillips, A., & Steuart, C. (2015). Guide to Computer Forensics and Investigations, 5th ed. Boston: Course Technology.

Rivest, R. (1992, April). The MD5 Message Digest Algorithm. Request for Comments (RFC) 1321. Retrieved from https:/ jwww.rfceditor. org/rfc/rfc1321.txt

Centrum Wiskunde & Informatica (CWI). (2017). Shattered. Retrieved from https://shattered.it/

Eastlake, D., 3rd, & Jones, P. (2001, September). US Secure Hash Algorithm 1 (SHA1). Requests for Comments (RFC) 3174. Retrieved from https://www.rfceditor. org/rfc/rfc3174.txt

Kessler, G.C. (2017). The Impact of MD5 File Hash Collisions on Digital Forensic Imaging. Journal of Digital Forensics, Security & Law, Vol. 11: No. 3, pp. 129- 140.

National Institute of Standards and Technology (NIST). (2015, August). Secure Hash Standard (SHS). Federal Information Processing Standards Publication FIPS PUB 180-4. Retrieved from http://csrc.nist.gov/publications/fips/fips1 80-4/fips-180-4.pdf

Stevens, M., Bursztein, E., Karpman, P., Albertini, A., & Markov, Y. (2017). The first collision for full SHA-1. Retrieved from https://shattered.it/static/shattered.pdf



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.