170 likes | 316 Views
MD5 Summary and Computer Examination Process. Introduction to Computer Forensics. Computer Examination.
E N D
MD5 Summary and Computer Examination Process Introduction to Computer Forensics
Computer Examination • The prime objective of the analyst is to recover and secure a true copy of the data stored on the medium. This should be done, wherever possible, without any alteration of the original data as a whole.
Computer Examination • The integrity of the original data must be preserved. • Use the non-intrusive examination techniques. • If the original data has to be examined, for whatever reason, the analyst must be competent to do so and to give evidence explaining their actions. Trained and qualified staff must be used • An audit trail is required and an independent party must be able to reproduce the same actions and get the same result. Full log of all actions must be kept
Computer Examination Search and seizure of the machines Examination Process The production of the evidential material at Court
The ACPO Good Practice Guide • The Association of Chief Police Officers (APCO) Crime Committee have produced a Good Practice Guide for Computer Based Evidence • The ACPO principles give a good practice that must be applied to the process of examination.
The Principles of Computer-Based Evidence • No action taken by Police or their agents should change data held on a computer or other media which may subsequently be relied upon in Court • In exceptional circumstances where a person finds it necessary to access original data held on a target computer, that person must be competent to do so and to give evidence explaining the relevance and the implications of their actions.
The Principles of Computer-Based Evidence • An audit trail or other record of all processes applied to computer-based evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
The Principles of Computer-Based Evidence • The Officer in charge of the case is responsible for ensuring that the law and these principles are adhered to. This applies to the possession of, and access to, information contained in a computer. They must be satisfied that anyone accessing the computer, or any use of copying device, complies with these laws and principles.
Cryptographic Integrity Services • It is difficult to show that evidence (any kind of evidence) that was collected is the same as what was left behind by a criminal. • In the digital world, it is possible to show that evidence didn’t not change at all after it was collected.
Cryptographic Integrity Services • The proof of integrity is provided by calculating a value that functions as a sort of electronic fingerprint for an individual file or even an entire floppy or hard drive. • This is a cryptographic technique and the value is called hash value or cryptographic checksum, also known as a message digest or fingerprint, and it is basically a digital signature. • The checksum is created by applying an algorithm to a file. The checksum for each file is unique to that file. • Checksum is a perfect attribute to use when verifying file integrity.
Cryptographic Integrity Services • Two algorithms, MD5 and SHA (secure hash algorithm), are in common use today. • A cryptographic hash algorithm is a one-way form of encryption, taking a variable-length input and providing a fixed length output. • Such an algorithm is designed to be collision free, meaning that is functionally impossible to create a document that has the same checksum value as another document.
Cryptographic Integrity Services • The MD5 algorithm outputs a 128-bit hash value. • MD5 was designed by Ron Rivest in 1991 • The SHA algorithm, is a cryptographic hash function designed by the National Security Agency. • USA Federal Information Processing Standard
Cryptographic Integrity Services • SHA-1 outputs a 160 – bit hash value. • SHA -2 outputs 224/256 bits or 384/512 bits hash value • The Secure Hash Standard (SHS) is a set of cryptographically secure hash algorithms specified by the National Institute of Standards and Technology (NIST). • The current version of the SHS standard is the document NIST FIPS 180-4,which specifies seven Secure Hash Algorithms: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256.
Cryptographic Integrity Services • On October 2, 2012, Keccak was selected as the winner of the NIST hash function competition. • SHA-3 is not meant to replace SHA-2, as no significant attack on SHA-2 has been demonstrated. • Because of the successful attacks on MD5 and SHA-0 and theoretical attacks on SHA-1 and SHA-2,NIST perceived a need for an alternative, dissimilar cryptographic hash, which became SHA-3.
Cryptographic Integrity Services • As of April 2014, NIST has updated Draft FIPS Publication 202, SHA-3 Standard separate from the Secure Hash Standard (SHS). • NIST Computer Security Division http://csrc.nist.gov/
Hash functions are used by forensic examiners in two ways: • First, hash functions can positively verify that a file has been altered. • For pre-incident preparation, prepare a known-good copy of the system, create checksums for critical system files BEFORE the incident occurs. • In the event of the incident, create new checksums for the same critical files, and then compare two versions. • If the checksums match, the files have not been modified.
Hash Functions Forensics Use • Second use of the checksums or hash functions is to verify that files (or their copies) are intact and have not been changed. • A computer crime investigator gathers digital evidence that needs to be preserved and verified in the future. • When the examiner runs a MD5 algorithm and collects MD5 checksums against evidence files and save the checksums, he or she can demonstrate that the files were not manipulated between the time of their initial collection and the trial. • Use MD5 sum to protect the integrity of the files you retrieve during the response. • It is good to perform MD5 sum collection in the presence of witnesses – TWO-MAN integrity rule.