Digital Investigation Using Hash- Based Carving

File carving is a popular method used for digital investigations for detecting the presence of specific target files on digital media. Hash based sector hashing helps to identify the presence of a target file. The hashes of physical sectors of the media is compared to the database of hashes created by hashing every block of the target files. To enable this, instead of evaluating the hashes of entire files, the hashes of individual data blocks is used for evaluation. Hash-based carving helps to identify fragmented files, files that are incomplete or that have been partially modified. To address the problem of High false identification rate and non-probative blocks, a HASH-SETS algorithm that can help in identification of files and the HASHRUNS algorithm that helps in reassembling the files is used. This technique is demonstrated using the forensic tool: bulk_extractor along with a hash database: the has hdb and an algorithm implementation written in Python.