MD5 Summary and Computer Examination Process

Introduction to Computer Forensics

Computer Examination

The prime objective of the analyst is to recover and secure a true copy of the data stored on the medium. This should be done, wherever possible, without any alteration of the original data as a whole.

Computer Examination◦The integrity of the original data must be

preserved. ◦Use the non-intrusive examination techniques.◦If the original data has to be examined, for

whatever reason, the analyst must be competent to do so and to give evidence explaining their actions. Trained and qualified staff must be used

◦An audit trail is required and an independent party must be able to reproduce the same actions and get the same result. Full log of all actions must be kept

Computer Examination

Search and

seizure of the

machines

Examination Process

The production of the evidenti

al material at Court

The ACPO Good Practice Guide

The Association of Chief Police Officers (APCO) Crime Committee have produced a Good Practice Guide for Computer Based Evidence

The ACPO principles give a good practice that must be applied to the process of examination.

The Principles of Computer-Based Evidence

No action taken by Police or their agents should change data held on a computer or other media which may subsequently be relied upon in Court

In exceptional circumstances where a person finds it necessary to access original data held on a target computer, that person must be competent to do so and to give evidence explaining the relevance and the implications of their actions.

The Principles of Computer-Based EvidenceAn audit trail or other record of

all processes applied to computer-based evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

The Principles of Computer-Based EvidenceThe Officer in charge of the case

is responsible for ensuring that the law and these principles are adhered to. This applies to the possession of, and access to, information contained in a computer. They must be satisfied that anyone accessing the computer, or any use of copying device, complies with these laws and principles.

Cryptographic Integrity Services

It is difficult to show that evidence (any kind of evidence) that was collected is the same as what was left behind by a criminal.

In the digital world, it is possible to show that evidence didn’t not change at all after it was collected.

Cryptographic Integrity Services

The proof of integrity is provided by calculating a value that functions as a sort of electronic fingerprint for an individual file or even an entire floppy or hard drive.

This is a cryptographic technique and the value is called hash value or cryptographic checksum, also known as a message digest or fingerprint, and it is basically a digital signature.

The checksum is created by applying an algorithm to a file. The checksum for each file is unique to that file.

Checksum is a perfect attribute to use when verifying file integrity.

Cryptographic Integrity ServicesTwo algorithms, MD5 and SHA (secure

hash algorithm), are in common use today.

A cryptographic hash algorithm is a one-way form of encryption, taking a variable-length input and providing a fixed length output.

Such an algorithm is designed to be collision free, meaning that is functionally impossible to create a document that has the same checksum value as another document.

Cryptographic Integrity ServicesThe MD5 algorithm outputs a 128-

bit hash value. MD5 was designed by Ron Rivest in

1991The SHA algorithm, is a

cryptographic hash function designed by the National Security Agency.

USA Federal Information Processing Standard

Cryptographic Integrity ServicesSHA-1 outputs a 160 – bit hash

value. SHA -2 outputs 224/256 bits or

384/512 bits hash valueSHA – 3 under development - US

National Institute of Standards and Technology competition. The winner will be presented in 2012

Hash functions are used by forensic examiners in two ways:

First, hash functions can positively verify that a file has been altered.◦For pre-incident preparation, prepare a

known-good copy of the system, create checksums for critical system files BEFORE the incident occurs.

◦In the event of the incident, create new checksums for the same critical files, and then compare two versions.

◦If the checksums match, the files have not been modified.

Hash Functions Forensics Use

Second use of the checksums or hash functions is to verify that files (or their copies) are intact and have not been changed.

A computer crime investigator gathers digital evidence that needs to be preserved and verified in the future.

When the examiner runs a MD5 algorithm and collects MD5 checksums against evidence files and save the checksums, he or she can demonstrate that the files were not manipulated between the time of their initial collection and the trial.

Use MD5 sum to protect the integrity of the files you retrieve during the response.

It is good to perform MD5 sum collection in the presence of witnesses – TWO-MAN integrity rule.