Introduction to Computer Forensics Computer Examination The prime objective of the analyst is to recover and secure a true copy of the data stored on the medium This should be done wherever possible without any alteration of the original data as a whole ID: 673939
Download Presentation The PPT/PDF document "MD5 Summary and Computer Examination Pro..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
MD5 Summary and Computer Examination Process
Introduction to Computer ForensicsSlide2
Computer Examination
The prime objective of the analyst is to recover and secure a true copy of the data stored on the medium. This should be done, wherever possible, without any alteration of the original data as a whole. Slide3
Computer Examination
The integrity of the original data must be preserved.
Use the non-intrusive examination techniques.
If the original data has to be examined, for whatever reason, the analyst must be competent to do so and to give evidence explaining their actions. Trained and qualified staff must be used
An audit trail is required and an independent party must be able to reproduce the same actions and get the same result. Full log of all actions must be keptSlide4
Computer Examination
Search and seizure of the machines
Examination Process
The production of the evidential material at CourtSlide5
The ACPO Good Practice Guide
The Association of Chief Police Officers (APCO) Crime Committee have produced a Good Practice Guide for Computer Based Evidence
The ACPO principles give a good practice that must be applied to the process of examination. Slide6
The Principles of Computer-Based Evidence
No action taken by Police or their agents should change data held on a computer or other media which may subsequently be relied upon in Court
In exceptional circumstances where a person finds it necessary to access original data held on a target computer, that person must be competent to do so and to give evidence explaining the relevance and the implications of their actions.Slide7
The Principles of Computer-Based Evidence
An audit trail or other record of all processes applied to computer-based evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.Slide8
The Principles of Computer-Based Evidence
The Officer in charge of the case is responsible for ensuring that the law and these principles are adhered to. This applies to the possession of, and access to, information contained in a computer. They must be satisfied that anyone accessing the computer, or any use of copying device, complies with these laws and principles. Slide9
Cryptographic Integrity Services
It is difficult to show that evidence (any kind of evidence) that was collected is the same as what was left behind by a criminal.
In the digital world, it is possible to show that evidence didn’t not change at all after it was collected. Slide10
Cryptographic Integrity Services
The proof of integrity is provided by calculating a value that functions as a sort of electronic fingerprint for an individual file or even an entire floppy or hard drive.
This is a cryptographic technique and the value is called hash value or cryptographic checksum, also known as a message digest or fingerprint, and it is basically a digital signature.
The checksum is created by applying an algorithm to a file. The checksum for each file is unique to that file.
Checksum is a perfect attribute to use when verifying file integrity. Slide11
Cryptographic Integrity Services
Two algorithms, MD5 and SHA (secure hash algorithm), are in common use today.
A cryptographic hash algorithm is a one-way form of encryption, taking a variable-length input and providing a fixed length output.
Such an algorithm is designed to be collision free, meaning that is functionally impossible to create a document that has the same checksum value as another document. Slide12
Cryptographic Integrity Services
The MD5 algorithm outputs a 128-bit hash value.
MD5 was designed by Ron
Rivest
in 1991
The SHA algorithm, is a cryptographic hash function designed by the National Security Agency.
USA Federal Information Processing StandardSlide13
Cryptographic Integrity Services
SHA-1 outputs a 160 – bit hash value.
SHA -2 outputs 224/256 bits or 384/512 bits hash value
The
Secure Hash Standard
(SHS) is a set of cryptographically secure
hash
algorithms specified by the National Institute of Standards and Technology (NIST).
The current version of the SHS standard is the document NIST FIPS
180-4, which specifies seven Secure Hash Algorithms: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256.Slide14
Cryptographic Integrity Services
On October 2, 2012,
Keccak
was selected as the winner of the NIST hash function
competition.
SHA-3
is not meant to replace SHA-2, as no significant attack on SHA-2 has been demonstrated.
Because
of the successful attacks on MD5 and SHA-0 and theoretical attacks on SHA-1 and
SHA-2, NIST perceived a need for an alternative, dissimilar cryptographic hash, which became SHA-3.Slide15
Cryptographic Integrity Services
As of April 2014, NIST has updated Draft FIPS Publication 202, SHA-3 Standard separate from the Secure Hash Standard (SHS
).
NIST
Computer
Security Division
http
://csrc.nist.gov
/Slide16
Hash functions are used by forensic examiners in two ways:
First, hash functions can positively verify that a file has been altered.
For pre-incident preparation, prepare a known-good copy of the system, create checksums for critical system files BEFORE the incident occurs.
In the event of the incident, create new checksums for the same critical files, and then compare two versions.
If the checksums match, the files have not been modified. Slide17
Hash Functions Forensics Use
Second use of the checksums or hash functions is to verify that files (or their copies) are intact and have not been changed.
A computer crime investigator gathers digital evidence that needs to be preserved and verified in the future.
When the examiner runs a MD5 algorithm and collects MD5 checksums against evidence files and save the checksums, he or she can demonstrate that the files were not manipulated between the time of their initial collection and the trial.
Use MD5 sum to protect the integrity of the files you retrieve during the response.
It is good to perform MD5 sum collection in the presence of witnesses – TWO-MAN integrity rule.