A hash is a string of data – series of letters and numbers in a row – that is unique to a set of a data given a specific hash function. While hashing may be used for may different purposes, in computer forensic work, a seized computer or harddisk or flash drive is usually hashed soon after seizure. The resulting hash (also called a digest) is used to preserve the data, so that if the harddisk or flash drive is later modified or tampered with after it’s been hash, that tampering or those modifications can be discovered.
At the moment of a police raid, a computer, cell phone, or other digital equipment may be seized. If such material is left unhashed and uninspected, then such material could be tampered with while in police custody or before a computer forensic specialist has been able to inspect it, and the computer forensic specialist would not know whether whatever he finds on the computer was placed there by the suspect or by people who tampered with the equipment, harddrives, or cell phone after it was seized, but before it was hashed.
Hashing is a way of digitally fingerprinting the equipment. (Hashes can be used for many other purposes, for instance the efficient search of data in a table.)
You can think of hashing as a way of freezing a specimen. Let’s say police seize blood from a suspect they believe may have committed a DWI. And let’s say they forget to put it in the refrigerator or forget to use preservatives to preserve the blood. In that case, the blood may degrade before the chemical analyst can inspect it.
Hashing is like adding a preservative to the data – at least from the perspective that if the data is later inspected and the inspected data’s hash values differ from the initial hash, then the data has been altered in some way and the analysis is not an accurate reflection of the hashed data.
Hashing is extremely important in any internet crimes or computer crimes investigation.