Computer Forensics:  Images and Integrity

NHACDL Fall 2013 CLEConcord, NH

18 October 2013

Frederick S. Lane

www.FrederickLane.com

www.ComputerForensicsDigest.com

Background and Expertise

• Attorney and Author of 7 Books

• Computer Forensics Expert -- 15 years

• Over 100 criminal cases

• Lecturer on Computer-Related Topics – 20+ years

• Computer user (midframes, desktops, laptops) – 35+ years

Lecture Overview• Not Your Mother’s Hash• The Role of Hash Values in

Computer Forensics• The Growing Use of Hash

Flags• P2P Investigations Using

Hash Values

Not Your Mother’s Hash

• Cryptograhic Hash Values• Relatively Easy to Generate• Extremely Difficult to Determine

Original Data from Hash Value• Extremely Difficult to Change

Data without Changing Hash• Extremely Unlikely that Different

Data Will Produce the Same Hash Value

Types of Hash Alogirithms

• Secure Hash Algorithm• Developed by NIST in 1995• 40 characters long

• Message Digest• Developed by Prof. Rivest in 1990• 32 characters long

• Photo DNA• Developed by Microsoft• Hash value based on histograms of

multiple section of image

Complex Explanation• The word DOG can be represented in

different ways:• Binary: 010001000110111101100111• Hexadecimal: 646f67

• A hash algorithm converts the hexadecimal value to a fixed-length hexadecimal string.• SHA-1:

e49512524f47b4138d850c9d9d85972927281da0• MD5: 06d80eb0c50b49a509b49f2424e8c805

Complex Explanation• Changing a single letter

changes each value.• For instance, the word COG

produces the following values:• Binary: 010000110110111101100111

• Hexadecimal: 436f67

• SHA-1: d3da816674b638d05caa672f60f381ff504e578c

• MD5: 01e33197684afd628ccf82a5ae4fd6ad

Simple Explanation

Oatmeal-Raisin Cookies

Oatmeal-Chocolate Chip Cookies

Evidence Integrity• Acquisition Hashes• Creation of Mirror Images• Verification of Accuracy of Mirror

Images• Use of “Known File Filter”• Hashkeeper• National Software Reference

Library

• NCMEC CVIP Database

Growing Use of Hash Flags

• Child Protection and Sexual Predator Act of 1998

• 2008: ISPs Agree to Block Access to Known Sources of CP and to Scan for NCMEC Hash Values

• SAFE Act: Requires ISPs and OSPs to Turn Over Subscriber Info If Known CP Is Identified

P2P Hash Values• Basic Operation of Peer-to-

Peer Networks• Decentralized Distribution• Gnutella and eDonkey• Client Software• Hash Values Associated with

Each File

Automated P2P Searches

• Peer Spectre or Nordic Mule Scans for IP Addresses of Devices Offering to Share Known CP Files

• IP Addresses Are Stored by TLO in Child Protection System

• Officers Conduct “Undercover” Investigations by Reviewing Spreadsheets of Hits in CPS

Growing Defense Concerns

• No Independent Examination of Proprietary Software

• Very Little Information Regarding TLO or CPS

• Peer Spectre May Generate False Hits Due to Normal Operation of P2P Clients

• Search Warrant Affidavits Fail to Mention Role of TLO or CPS

Computer Forensics:  Images and Integrity

NHACDL Fall 2013 CLEConcord, NH

18 October 2013

Frederick S. Lane

www.FrederickLane.com

www.ComputerForensicsDigest.com