An efficient scheme for hard disk integrity check in digital forensics by hashing with combinatorial group testing

In this paper, we describe the problem of checking the integrity of a hard disk for forensics investigation after the computer of a suspect has been seized. Existing solutions do not provide a satisfactory solution to solve the problem. They either require a huge amount of storage to store the hash values of the sectors or may not be able to cope with the situation in an effective way in case some sectors have been changed (e.g. become bad sectors or deleted due to being part of the Legal Professional Privilege items). We propose an efficient hashing scheme with combinatorial group testing to calculate hash values for all sectors in a hard disk as the integrity proof and precisely locate the sectors which have been changed. Experimental results show that the scheme can significantly decrease the storage overhead (0.5MB needed for a 250GB hard disk) while require similar computational time compared to the existing approach. The computational time can be further decreased using our improved 2-stage approach.