1 / 10

Hashes in Forensics

Hashes in Forensics. Kieron Craggs Originally presented as part of IntaForensics 2014 Graduate Training Week. What we’ll cover. What is a hash? The importance of hashes in Forensics Hash Sets Other hashing techniques. What is a hash?.

chaim
Download Presentation

Hashes in Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hashes in Forensics KieronCraggs Originally presented as part of IntaForensics 2014 Graduate Training Week

  2. What we’ll cover • What is a hash? • The importance of hashes in Forensics • Hash Sets • Other hashing techniques

  3. What is a hash? • A one way unique digital signature of a file or files • Result of a calculation made on the content (Algorithm) • Always returns the same size result no matter the input • Different algorithms return a different length result

  4. Importance of hashes in Forensics • Easy to use, common & secure* (MD5, SHA1..) • Collisions are a very small possibility • Can be used to verify data integrity (ACPO P1) • Used to identify ‘good’ & ‘bad’ files (Hash Sets) • Breakdown large amounts of data

  5. Hash Sets • Used to find good and bad files – cuts down the search • Good – NSRL • Bad – Team Cymru (Malware), Law Enforcement & various others including tools such as C4All • Efficient and quick way to identify files

  6. Fuzzy Hashing and others • Traditional hashing but of parts rather than the whole file • Piecewise Hashing – split the data into fixed blocks, hash and look for matches • Context Triggered Piecewise (Fuzzy Hashing) – Matches portions of data which shares a similarity with a comparison but the data might not be in the same place

  7. Piecewise Hashing Example (dcfldd) Create a dd image and calculate hashes Each block now has an MD5 and SHA1 hash Some time later… Let’s compare a copy against the original Original File Here’s the change

  8. Issues • Context Triggered Hashing needs enough data to compare – larger/multiple files are more successful • Computationally expensive, can be time consuming • False positives

  9. Summary • A hash is a unique signature of a files contents (a portion of data) • Helps to make forensic easier but adds credibility • Can help sort large amounts of known/unknown data • Can be applied in different ways to solve problems

  10. Questions?

More Related