Monday, July 26, 2010

Hashing in forensic recovery

With any forensic investigation, the term hashing will appear somewhere. But what is hashing, and how important is it?

Hashing is a digital signature, and therefore is unique for each file or document. The most common standard is MD5 which is a 16 byte number, normally displayed as a string of 32 hex text characters. It is secure because any single bit change, anywhere in the file will produce a completely different hash value. It is also secure because there is no way of working out from the result, what the original data string was.

When a file is recovered, or imaged, the whole file is scanned, and a hash value is produced. In future, if the same file has it's hash value calculated, as long as it is the same, then the file is identical. It would be impossible to tamper with the file without changing the hash value. Thus forensically, the reason for hashing is as part of the chain of custody. If is file is read, then it can be distributed as evidence and as long as the hash remains the same, the file is the same. For this reason, the CnW Recovery software always includes a file hash value in the log for forensic applications.

There are possible dangers with hashing. It can be taken because there is hash value, then the file is true, but it must always be considered that a file could have been tampered with before the original recovery or investigation was made.

The second concern is that the MD5 hashing routine has been broken in forensic terms. ie a file has been modified, and kept the same hash value. To do this takes a lot of skill, and a lot of computing power to discover which 16 byte number has to be inserted at which location in the file to produce an unchanged hash value. The solution to this concern is to use longer hash values, such as SHA-1, SHA-256.

My personal view though is that for 99.999999% of applications, MD5 is adequate, and will always detect accidental and transmission errors. With increasing computer power, it true that the length of the hash will have to increase, and each extra byte will improve the strength by 256 times. However in March 2011, SHA-256 has been added to the forensic log

No comments:

Post a Comment