Using Evidence Integrity & Verification on the Acorn
Application Type: Proprietary Write Protection & File Hashing Utility
Primary Use: Preventing evidence modification and ensuring data integrity verification
Pre-installed in the Forensics Hub
Overview
The Acorn provides built-in solutions for ensuring evidence integrity right from the point of acquisition. By combining the SQFR USB Write Blocker with GTKHash, forensic practitioners can reliably protect original data and verify its integrity through cryptographic hashing. This use case illustrates how these tools are used together to ensure evidence remains unchanged throughout the investigation process.
Case Context
An internal investigation requires forensic analysis of a USB storage device suspected to contain critical documents. The examiner must guarantee that the source data is preserved in its original state and that any forensic image created is verified against the original for integrity.
1 . Verifying Read-Only Mount Status
The examiner connects the suspect USB to The Acorn. To confirm that write protection is active, they open Device Manager and check the mount status. The USB device appears as read-only, verifying that The Acorn’s built-in software write blocker is functioning correctly.
Screenshot: Device Manager Showing USB Mounted as Read-Only
2. Creating a Forensic Image with Guymager
The examiner launches Guymager and configures acquisition settings to image the device in Expert Witness Format (E01). Both MD5 and SHA256 hashing are enabled to generate cryptographic hashes during acquisition. These values are recorded and saved as part of the image metadata.
Screenshot: Guymager Imaging in Progress with MD5 and SHA256 Enabled
3. Verifying Image Integrity with GTKHash
After imaging, the .E01 image is converted to a single raw image (nps-2008-jean.raw) for simplified validation. The examiner uses GTKHash to compute MD5 and SHA256 hashes of the raw file.
GTKHash independently calculates:
• MD5: 78a52b5bac78f4e711607707ac0e3f93
• SHA256: 4d4fc46f284630a69980340ee36d3ed486de424a9f456eedba09b10f1f520b8a
These values are stored in the report and can be re-verified at any stage to confirm evidence integrity.
Screenshot: GTKHash Showing Computed MD5 and SHA256 Hashes
4. Securing the Forensic Image with VeraCrypt
Once the image has been verified, the examiner creates an encrypted VeraCrypt container on an external SSD to protect the data in transit or during long-term storage. A copy of the verified nps-2008-jean.raw image is placed inside the container, ensuring that only authorised personnel with the decryption password or keyfile can access it.
The original image remains unaltered and stored on secure forensic infrastructure. Encryption helps maintain confidentiality, supports data protection policies, and preserves the chain of custody in accordance with forensic best practices.
Screenshot: VeraCrypt Volume Creation Wizard Interface
5. Documenting the Forensic Workflow
• After completing the imaging process, the examiner uses WPS Writer on The Acorn to compile a forensic report.
• The report includes:
– Details of the evidence acquisition process
– Confirmation that write-blocking was enforced
– The verified MD5 and SHA256 hash values of the acquired image
• The final report is saved and exported as a secure, court-ready PDF.
6. Preserving Evidence Integrity
• Throughout the process, The Acorn’s write-blocker and Disk Manager ensure that no modifications are made to the original device.
• The verified forensic image is securely stored, and the suspect device is safely disconnected.
• This completes a fully validated, tamper-proof imaging and documentation workflow in line with forensic best practices.
Why The Acorn Wins Here
| Feature | Benefit |
|---|---|
| Integrated Write Blocker | Prevents evidence tampering without external hardware |
| Device Manager | Quickly confirm read-only status of connected media |
| GTKHash | Generate MD5, SHA1, and SHA256 to verify data integrity |
| Lightweight OS | Faster operations with minimal background processes |