2013-10-18 Computer Forensics and Hash Values
-
Upload
frederick-lane -
Category
Technology
-
view
1.209 -
download
3
description
Transcript of 2013-10-18 Computer Forensics and Hash Values
Computer Forensics: Images and Integrity
NHACDL Fall 2013 CLEConcord, NH
18 October 2013
Frederick S. Lane
www.FrederickLane.com
www.ComputerForensicsDigest.com
Background and Expertise
• Attorney and Author of 7 Books
• Computer Forensics Expert -- 15 years
• Over 100 criminal cases
• Lecturer on Computer-Related Topics – 20+ years
• Computer user (midframes, desktops, laptops) – 35+ years
Lecture Overview• Not Your Mother’s Hash• The Role of Hash Values in
Computer Forensics• The Growing Use of Hash
Flags• P2P Investigations Using
Hash Values
Not Your Mother’s Hash
• Cryptograhic Hash Values• Relatively Easy to Generate• Extremely Difficult to Determine
Original Data from Hash Value• Extremely Difficult to Change
Data without Changing Hash• Extremely Unlikely that Different
Data Will Produce the Same Hash Value
Types of Hash Alogirithms
• Secure Hash Algorithm• Developed by NIST in 1995• 40 characters long
• Message Digest• Developed by Prof. Rivest in 1990• 32 characters long
• Photo DNA• Developed by Microsoft• Hash value based on histograms of
multiple section of image
Complex Explanation• The word DOG can be represented in
different ways:• Binary: 010001000110111101100111• Hexadecimal: 646f67
• A hash algorithm converts the hexadecimal value to a fixed-length hexadecimal string.• SHA-1:
e49512524f47b4138d850c9d9d85972927281da0• MD5: 06d80eb0c50b49a509b49f2424e8c805
Complex Explanation• Changing a single letter
changes each value.• For instance, the word COG
produces the following values:• Binary: 010000110110111101100111
• Hexadecimal: 436f67
• SHA-1: d3da816674b638d05caa672f60f381ff504e578c
• MD5: 01e33197684afd628ccf82a5ae4fd6ad
Simple Explanation
Oatmeal-Raisin Cookies
Oatmeal-Chocolate Chip Cookies
Evidence Integrity• Acquisition Hashes• Creation of Mirror Images• Verification of Accuracy of Mirror
Images• Use of “Known File Filter”• Hashkeeper• National Software Reference
Library
• NCMEC CVIP Database
Growing Use of Hash Flags
• Child Protection and Sexual Predator Act of 1998
• 2008: ISPs Agree to Block Access to Known Sources of CP and to Scan for NCMEC Hash Values
• SAFE Act: Requires ISPs and OSPs to Turn Over Subscriber Info If Known CP Is Identified
P2P Hash Values• Basic Operation of Peer-to-
Peer Networks• Decentralized Distribution• Gnutella and eDonkey• Client Software• Hash Values Associated with
Each File
Automated P2P Searches
• Peer Spectre or Nordic Mule Scans for IP Addresses of Devices Offering to Share Known CP Files
• IP Addresses Are Stored by TLO in Child Protection System
• Officers Conduct “Undercover” Investigations by Reviewing Spreadsheets of Hits in CPS
Growing Defense Concerns
• No Independent Examination of Proprietary Software
• Very Little Information Regarding TLO or CPS
• Peer Spectre May Generate False Hits Due to Normal Operation of P2P Clients
• Search Warrant Affidavits Fail to Mention Role of TLO or CPS
Computer Forensics: Images and Integrity
NHACDL Fall 2013 CLEConcord, NH
18 October 2013
Frederick S. Lane
www.FrederickLane.com
www.ComputerForensicsDigest.com