2013-10-18 Computer Forensics and Hash Values
-
Upload
frederick-lane -
Category
Technology
-
view
1.209 -
download
3
description
Transcript of 2013-10-18 Computer Forensics and Hash Values
![Page 1: 2013-10-18 Computer Forensics and Hash Values](https://reader036.fdocuments.us/reader036/viewer/2022062514/557cce36d8b42a43438b50aa/html5/thumbnails/1.jpg)
Computer Forensics: Images and Integrity
NHACDL Fall 2013 CLEConcord, NH
18 October 2013
Frederick S. Lane
www.FrederickLane.com
www.ComputerForensicsDigest.com
![Page 2: 2013-10-18 Computer Forensics and Hash Values](https://reader036.fdocuments.us/reader036/viewer/2022062514/557cce36d8b42a43438b50aa/html5/thumbnails/2.jpg)
Background and Expertise
• Attorney and Author of 7 Books
• Computer Forensics Expert -- 15 years
• Over 100 criminal cases
• Lecturer on Computer-Related Topics – 20+ years
• Computer user (midframes, desktops, laptops) – 35+ years
![Page 3: 2013-10-18 Computer Forensics and Hash Values](https://reader036.fdocuments.us/reader036/viewer/2022062514/557cce36d8b42a43438b50aa/html5/thumbnails/3.jpg)
Lecture Overview• Not Your Mother’s Hash• The Role of Hash Values in
Computer Forensics• The Growing Use of Hash
Flags• P2P Investigations Using
Hash Values
![Page 4: 2013-10-18 Computer Forensics and Hash Values](https://reader036.fdocuments.us/reader036/viewer/2022062514/557cce36d8b42a43438b50aa/html5/thumbnails/4.jpg)
Not Your Mother’s Hash
• Cryptograhic Hash Values• Relatively Easy to Generate• Extremely Difficult to Determine
Original Data from Hash Value• Extremely Difficult to Change
Data without Changing Hash• Extremely Unlikely that Different
Data Will Produce the Same Hash Value
![Page 5: 2013-10-18 Computer Forensics and Hash Values](https://reader036.fdocuments.us/reader036/viewer/2022062514/557cce36d8b42a43438b50aa/html5/thumbnails/5.jpg)
Types of Hash Alogirithms
• Secure Hash Algorithm• Developed by NIST in 1995• 40 characters long
• Message Digest• Developed by Prof. Rivest in 1990• 32 characters long
• Photo DNA• Developed by Microsoft• Hash value based on histograms of
multiple section of image
![Page 6: 2013-10-18 Computer Forensics and Hash Values](https://reader036.fdocuments.us/reader036/viewer/2022062514/557cce36d8b42a43438b50aa/html5/thumbnails/6.jpg)
Complex Explanation• The word DOG can be represented in
different ways:• Binary: 010001000110111101100111• Hexadecimal: 646f67
• A hash algorithm converts the hexadecimal value to a fixed-length hexadecimal string.• SHA-1:
e49512524f47b4138d850c9d9d85972927281da0• MD5: 06d80eb0c50b49a509b49f2424e8c805
![Page 7: 2013-10-18 Computer Forensics and Hash Values](https://reader036.fdocuments.us/reader036/viewer/2022062514/557cce36d8b42a43438b50aa/html5/thumbnails/7.jpg)
Complex Explanation• Changing a single letter
changes each value.• For instance, the word COG
produces the following values:• Binary: 010000110110111101100111
• Hexadecimal: 436f67
• SHA-1: d3da816674b638d05caa672f60f381ff504e578c
• MD5: 01e33197684afd628ccf82a5ae4fd6ad
![Page 8: 2013-10-18 Computer Forensics and Hash Values](https://reader036.fdocuments.us/reader036/viewer/2022062514/557cce36d8b42a43438b50aa/html5/thumbnails/8.jpg)
Simple Explanation
Oatmeal-Raisin Cookies
Oatmeal-Chocolate Chip Cookies
![Page 9: 2013-10-18 Computer Forensics and Hash Values](https://reader036.fdocuments.us/reader036/viewer/2022062514/557cce36d8b42a43438b50aa/html5/thumbnails/9.jpg)
Evidence Integrity• Acquisition Hashes• Creation of Mirror Images• Verification of Accuracy of Mirror
Images• Use of “Known File Filter”• Hashkeeper• National Software Reference
Library
• NCMEC CVIP Database
![Page 10: 2013-10-18 Computer Forensics and Hash Values](https://reader036.fdocuments.us/reader036/viewer/2022062514/557cce36d8b42a43438b50aa/html5/thumbnails/10.jpg)
Growing Use of Hash Flags
• Child Protection and Sexual Predator Act of 1998
• 2008: ISPs Agree to Block Access to Known Sources of CP and to Scan for NCMEC Hash Values
• SAFE Act: Requires ISPs and OSPs to Turn Over Subscriber Info If Known CP Is Identified
![Page 11: 2013-10-18 Computer Forensics and Hash Values](https://reader036.fdocuments.us/reader036/viewer/2022062514/557cce36d8b42a43438b50aa/html5/thumbnails/11.jpg)
P2P Hash Values• Basic Operation of Peer-to-
Peer Networks• Decentralized Distribution• Gnutella and eDonkey• Client Software• Hash Values Associated with
Each File
![Page 12: 2013-10-18 Computer Forensics and Hash Values](https://reader036.fdocuments.us/reader036/viewer/2022062514/557cce36d8b42a43438b50aa/html5/thumbnails/12.jpg)
Automated P2P Searches
• Peer Spectre or Nordic Mule Scans for IP Addresses of Devices Offering to Share Known CP Files
• IP Addresses Are Stored by TLO in Child Protection System
• Officers Conduct “Undercover” Investigations by Reviewing Spreadsheets of Hits in CPS
![Page 13: 2013-10-18 Computer Forensics and Hash Values](https://reader036.fdocuments.us/reader036/viewer/2022062514/557cce36d8b42a43438b50aa/html5/thumbnails/13.jpg)
Growing Defense Concerns
• No Independent Examination of Proprietary Software
• Very Little Information Regarding TLO or CPS
• Peer Spectre May Generate False Hits Due to Normal Operation of P2P Clients
• Search Warrant Affidavits Fail to Mention Role of TLO or CPS
![Page 14: 2013-10-18 Computer Forensics and Hash Values](https://reader036.fdocuments.us/reader036/viewer/2022062514/557cce36d8b42a43438b50aa/html5/thumbnails/14.jpg)
Computer Forensics: Images and Integrity
NHACDL Fall 2013 CLEConcord, NH
18 October 2013
Frederick S. Lane
www.FrederickLane.com
www.ComputerForensicsDigest.com