File authentication in forensics

teancum144

Before a forensic analysis, multiple copies of the disk are made. One copy is for file authentication. I understand that this is to ensure the integrity of the disk by generating a message digest (hash) for all system directories, files, and disk sectors.

• Typically, is a one hash made for the entire disk (inclusive of these elements)?
• Or, are hashes made for each file, directory, etc?
• Or, are hashes made at the disk level and the file level?

PhoneJockey

From a few sources it appears the entire drive is hashed

Forensics: Hashes, do they work? | Where is Your Data?

"
The imaging process
Very briefly this is what happens to evidence drive during the imaging process, for both criminal and civil offences:

• A suspect’s hard drive is connect to a computer (a hardware write blocker is normally used, but systems like Linux imaging platforms and software blockers can be used with or without hardware write blockers).
• A hash value is calculated for the image
• The hard drive is returned

For the criminal case the hard drive will be returned to a safe/evidence room, until it is required. During the case the defence, in theory, can ask to see the original and check the hash value."

colemic

Off the top of my head I would agree w/ the whole drive being hashed. As long as the proper chain is followed, you wouldn't need a separate hash for each file you wished to examine.

Besides one drive would give you potentially millions upon millions of hash files.

teancum144

From the following quote, it appears that multiple hashes are made - at the block level and collectively at the image level:

"The EnCase computer forensic software is widely recognized by the industry and validated by the courts, as well as by testing conducted by the National Institute of Standards. ... The EnCase process begins with the creation of a bit-stream drive image called an Evidence File. ... When acquiring an image of a drive, EnCase calculates both a CRC (Cyclical Redundancy Checksum) value for every block of 64 sectors (32kb) that EnCase writes to the evidence file, as well as a MD5 hash calculated for all data contained in the Evidence file."
Source: http://faculty.usfsp.edu/gkearns/Articles_Fraud/EEEauthentication.pdf (see first paragraph under "Background")

colemic

CRCs are used for network error correction, if I recall. the MD5 hash is used for protecting from actual file modifications.

knah

I took a forensics class last spring. We just used the hash of the image file, and I didn't see any long list of hashes for each and every file. We were using a very dated demo version of FTK.

This probably won't be on Sec+ exam, but it's worth noting that the better tools will use a (often proprietary) compression algorithm during the acquisition. This means that the hash of a compressed image file will be different than the hash of a raw uncompressed image file; when you examine the image in your suite it will show you the uncompressed hash and you verify integrity with that if you were comparing different image formats.

Disclaimer: I'm not a forensic investigator and haven't used current high-end tools; I just took a class that was surprisingly fun and interesting.

Also, I think some researchers created a MD5 collision in a lab, so I wouldn't be surprised if EnCase has moved on to using one of the SHA algorithms.