Week 4 - Forensic Imaging & Hashing Flashcards
What is a forensic IMAGE of a Hard Drive?
A forensic image is a bit for bit copy of a hard drive or device. It includes everything, not only live data, but also the unallocated space, the slack space, hidden partitions and the MBR.
We must then verify that the image is an exact copy of the original device - do this by using a hash algorithm
What is hashing?
Hashing is a process of converting a data source to a fixed string of characters.
It is one way, therefore the original data cannot be obtained from the hash value.
It is used to evidence the integrity of data - to verify and validate it. Any data that is identical will have identical hash values. If data is changed, even by one single bit, the hash value will change.
In computer forensics it is used to demonstrate that a forensic image made of a suspect computer is exactly the same as the original computer.
What is a hash collision & what is the chance of an MD5 hash collision?
A collision is when two different sources of data have the same hash value.
An MD5 hash a hex value is 128 bits.
This means that the chance of a collision is 1 in 2 to the power of 128
So unlikely that courts accept it as a digital fingerprint of the data
Other Hash Functions
SHA-1: secure Hash Algorithm.
160 bit hash value
SHA-256 is 256 bit hash valie
What is slack space?
Files on a HD are organised into clusters. Clusters vary in size, but each cluster can only belong to one file. A file can occupy as many clusters as it needs for it’s size. For example if your clusters are 4kb, and a file is 12 kb the file will fill 3 clusters. if you delete this file and a new file of 9kb overights it then the same 3 clusters will be used, but the third cluster will only have 1kb of it used by the new file (because it is smaller than the old file) the remaining 3kb of that cluster cannot be occupiedd by another file while the 9kb file is using it, so this remaining 3kb on the cluster is SLACK SPACE. This slack space contains data from the previous file that occupied it.
What must you think about when chosing forensic tools?
The operating system they are compatable wiht, cost, but most importantly all tools must be validated before use using test data and test protocols. The Computer Forensic Reference Data sets can be used to validate tools and you can view the Computer Forensics Tool Testing reports to understand the strengths and weaknesses of tools. Different tools will have differnt strengths and weaknesses.
List some Forensic tools for imaging devices and details about what file types they support and what file types they produce the image in.
Primary file types produced in imaging are dd, EO1 and RAW
FTK (Forensic Tool Kit) Imager. Owned by Exterro. Produces AD1 file stype.
Encase - produces E01
Linux - dd function produces dd file
The Sleuth Kit (TSK) and Autopsy.
TSK is free and open source and supports many file system types.