In digital forensics, hash values are used to verify the integrity of disk images. When a disk image is created, cryptographic hash functions such as MD5 or SHA-256 are calculated and recorded. These hashes act as a digital fingerprint of the data at the time of acquisition.
An untampered disk image maintains the same hash value throughout the investigation, proving that the data has not been altered. A tampered disk image, however, will produce a different hash value because even the smallest modification to the data changes the resulting hash. This difference immediately indicates that the integrity of the evidence has been compromised.
Options A, C, and D are incorrect because encryption, access permissions, and compression do not define whether an image is tampered. Cybersecurity and forensic documentation consistently emphasizes hash verification as the primary method for validating forensic integrity.
Therefore, the key difference is that a tampered image has a different hash value, making Option B correct.
