MD5

Message-Digest algorithm 5 (MD5) is a cryptographic hash function used to generate a unique fingerprint for files (and in many other ways).  In computer forensics, MD5 signatures are used to:

• Validate a forensic copy of a hard drive (or other storage device) is a bit-for-bit duplicate of the original.  This is achieved by creating an MD5 signature of the original media and then comparing it to the MD5 signature of the forensic image.  If the signatures are identical then the copy is considered an exact duplicate of the original
• Identify Known Good or Known Bad files by generating an MD5 signature of every file (using utilities such as md5sum and md5deep) in an image and then comparing it to a database of files that are known to be good or bad.  This allows a forensic analyst to quickly focus their analysis on files that require further investigation.

Over time, weaknesses in the MD5 algorithm have been discovered and in 2007 a method was developed to quickly create an identical MD5 signature for two files that are not identical.  While this has not spelled the end of MD5 signatures usefulness in computer forensic, over time MD5 will be superseded by other algorithms.