What tool would an investigator use to verify the integrity of a forensic image?

The tool that an investigator would use to verify the integrity of a forensic image is indeed a hash function tool, which helps confirm that the data has not been altered or tampered with after the image was created. While SHA-1 (Secure Hash Algorithm 1) is mentioned as the correct answer, it is important to note that both SHA-1 and MD5 serve similar purposes in generating checksums for data integrity verification.

The underlying principle is that after a forensic image is created, the investigator will compute a hash value for the image file. This hash value is unique to the contents of the file. By performing this operation again at a later date or after any handling of the image, the investigator can compare the newly generated hash value with the original one. If the values match, it assures that the image remains unchanged.

Using SHA-1 is often favored because it produces a longer hash value compared to MD5, which can help in reducing the likelihood of collisions—situations where two different files produce the same hash. However, in many forensic practices, MD5 is also commonly used due to its speed and availability.

While options such as md5sum, hashdeep, and certutil are also valid tools for generating hash values, the specific