Dave,
You correctly state it is possible to acquire media without hashing.
However, especially in legal matters (or when legal action is anticipated)
you must be able to establish to the court that your electronic copy is
identical to the original.
This is done by ensuring that evidence is acquired in a forensically sound
matter (technologically and legally proven).
A cryptographic hash/checksum does provide strong evidence that a particular
computer record has not been altered and/or that a copy of the record is
exactly the same as the original.
Thanks,
Séamus
--------------------------------------------
Séamus Byrne
Computer Forensics and Litigation Support
-----Original Message-----
From: dave (at) superelite (dot) net [email concealed] [mailto:dave (at) superelite (dot) net [email concealed]]
Sent: Wednesday, 23 March 2005 4:26 AM
To: forensics (at) securityfocus (dot) com [email concealed]
Subject: Drive hashing-when is it *really* necessary?
Sounds like a simple question for this list where the answer is
"always"- but please read on.
We run hashes on drives to verify that nothing was changed during the
acquisition process. Which hash, MD-5, SHA-1, SHA-256 is not part of this
debate so please refrain from rehashing that topic. But what if we have a
device which is built NOT to allow writing to the drive?
Hardware write protectors are one example. Another could be an operating
system such as Knoppix that was built/configured from the ground up to mount
the drives only in read-only mode. If such a tool was used by an
independent operator which had no motivation to alter the data, how critical
are hashes?
Why would someone want to do this? How about if we had 500 hard drives to
go through and the client just wanted to get FAT info parsed to get an idea
of the files on the drives. Bypassing an MD5 could save 2+ hours for each
drive and allow just the 10 sec it takes to copy the FAT.
Obviously it's an imperfect approach but for a real world situation where
the client has limited funds, can it work?
I guess there is still the issue of ensuring that a bit wasn't accidentally
flipped by hardware during the copy. What else? Not to trivialize the
corrupt copy problem but a flipped bit isn't going to cause an e-mail to
appear where it wasn't before (unless it was in the FAT). Thoughts on that?
What I am looking for in the way of responses is a detailed, logical
analysis on what the true issues are. I'm not looking for "this is a bad
thing, don't do it" or "if you gonna spend the money, spend the
money to do it right." I would appreciate an analysis of what one
would say to a lawyer or jury about this. I know this isn't the BEST way to
do things but what are the true flaws in this logic? What would you say if
brought in by the opposing side to refute the validity of this approach?
Thanks in advance.
Dave K.
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking
system please see: http://aris.securityfocus.com
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
You correctly state it is possible to acquire media without hashing.
However, especially in legal matters (or when legal action is anticipated)
you must be able to establish to the court that your electronic copy is
identical to the original.
This is done by ensuring that evidence is acquired in a forensically sound
matter (technologically and legally proven).
A cryptographic hash/checksum does provide strong evidence that a particular
computer record has not been altered and/or that a copy of the record is
exactly the same as the original.
Thanks,
Séamus
--------------------------------------------
Séamus Byrne
Computer Forensics and Litigation Support
Telephone: +61 416 214388
E-mail: seamus (at) seamusbyrne (dot) com [email concealed]
Internet: http://www.seamusbyrne.com
--------------------------------------------
-----Original Message-----
From: dave (at) superelite (dot) net [email concealed] [mailto:dave (at) superelite (dot) net [email concealed]]
Sent: Wednesday, 23 March 2005 4:26 AM
To: forensics (at) securityfocus (dot) com [email concealed]
Subject: Drive hashing-when is it *really* necessary?
Sounds like a simple question for this list where the answer is
"always"- but please read on.
We run hashes on drives to verify that nothing was changed during the
acquisition process. Which hash, MD-5, SHA-1, SHA-256 is not part of this
debate so please refrain from rehashing that topic. But what if we have a
device which is built NOT to allow writing to the drive?
Hardware write protectors are one example. Another could be an operating
system such as Knoppix that was built/configured from the ground up to mount
the drives only in read-only mode. If such a tool was used by an
independent operator which had no motivation to alter the data, how critical
are hashes?
Why would someone want to do this? How about if we had 500 hard drives to
go through and the client just wanted to get FAT info parsed to get an idea
of the files on the drives. Bypassing an MD5 could save 2+ hours for each
drive and allow just the 10 sec it takes to copy the FAT.
Obviously it's an imperfect approach but for a real world situation where
the client has limited funds, can it work?
I guess there is still the issue of ensuring that a bit wasn't accidentally
flipped by hardware during the copy. What else? Not to trivialize the
corrupt copy problem but a flipped bit isn't going to cause an e-mail to
appear where it wasn't before (unless it was in the FAT). Thoughts on that?
What I am looking for in the way of responses is a detailed, logical
analysis on what the true issues are. I'm not looking for "this is a bad
thing, don't do it" or "if you gonna spend the money, spend the
money to do it right." I would appreciate an analysis of what one
would say to a lawyer or jury about this. I know this isn't the BEST way to
do things but what are the true flaws in this logic? What would you say if
brought in by the opposing side to refute the validity of this approach?
Thanks in advance.
Dave K.
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking
system please see: http://aris.securityfocus.com
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[ reply ]