08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
2013-10-18 Computer Forensics and Hash Values
1. Computer Forensics:
Images and Integrity
Frederick S. Lane
NHACDL Fall 2013 CLE
Concord, NH
18 October 2013
www.FrederickLane.com
www.ComputerForensicsDigest.com
2. Background and Expertise
• Attorney and Author of 7
Books
• Computer Forensics
Expert -- 15 years
• Over 100 criminal cases
• Lecturer on ComputerRelated Topics – 20+
years
• Computer user
(midframes, desktops,
laptops) – 35+ years
3. Lecture Overview
• Not Your Mother’s Hash
• The Role of Hash Values in
Computer Forensics
• The Growing Use of Hash Flags
• P2P Investigations Using Hash
Values
4. Not Your Mother’s Hash
• Cryptograhic Hash Values
• Relatively Easy to Generate
• Extremely Difficult to Determine
Original Data from Hash Value
• Extremely Difficult to Change Data
without Changing Hash
• Extremely Unlikely that Different
Data Will Produce the Same Hash
Value
5. Types of Hash Alogirithms
• Secure Hash Algorithm
• Developed by NIST in 1995
• 40 characters long
• Message Digest
• Developed by Prof. Rivest in 1990
• 32 characters long
• Photo DNA
• Developed by Microsoft
• Hash value based on histograms of
multiple section of image
6. Complex Explanation
• The word DOG can be represented in
different ways:
• Binary: 010001000110111101100111
• Hexadecimal: 646f67
• A hash algorithm converts the
hexadecimal value to a fixed-length
hexadecimal string.
• SHA-1:
e49512524f47b4138d850c9d9d85972927281
da0
• MD5: 06d80eb0c50b49a509b49f2424e8c805
7. Complex Explanation
• Changing a single letter
changes each value.
• For instance, the word COG
produces the following values:
•
Binary: 010000110110111101100111
•
Hexadecimal: 436f67
•
SHA-1:
d3da816674b638d05caa672f60f381ff504e578c
•
MD5: 01e33197684afd628ccf82a5ae4fd6ad
9. Evidence Integrity
• Acquisition Hashes
• Creation of Mirror Images
• Verification of Accuracy of Mirror
Images
• Use of “Known File Filter”
• Hashkeeper
• National Software Reference
Library
• NCMEC CVIP Database
10. Growing Use of Hash Flags
• Child Protection and Sexual
Predator Act of 1998
• 2008: ISPs Agree to Block Access
to Known Sources of CP and to
Scan for NCMEC Hash Values
• SAFE Act: Requires ISPs and OSPs
to Turn Over Subscriber Info If
Known CP Is Identified
11. P2P Hash Values
• Basic Operation of Peer-toPeer Networks
•
•
•
•
Decentralized Distribution
Gnutella and eDonkey
Client Software
Hash Values Associated with
Each File
12. Automated P2P Searches
• Peer Spectre or Nordic Mule
Scans for IP Addresses of
Devices Offering to Share Known
CP Files
• IP Addresses Are Stored by TLO
in Child Protection System
• Officers Conduct “Undercover”
Investigations by Reviewing
Spreadsheets of Hits in CPS
13. Growing Defense Concerns
• No Independent Examination of
Proprietary Software
• Very Little Information Regarding
TLO or CPS
• Peer Spectre May Generate False
Hits Due to Normal Operation of
P2P Clients
• Search Warrant Affidavits Fail to
Mention Role of TLO or CPS
14. Computer Forensics:
Images and Integrity
Frederick S. Lane
NHACDL Fall 2013 CLE
Concord, NH
18 October 2013
www.FrederickLane.com
www.ComputerForensicsDigest.com