Your SlideShare is downloading. ×
2013-10-18 Computer Forensics and Hash Values
2013-10-18 Computer Forensics and Hash Values
2013-10-18 Computer Forensics and Hash Values
2013-10-18 Computer Forensics and Hash Values
2013-10-18 Computer Forensics and Hash Values
2013-10-18 Computer Forensics and Hash Values
2013-10-18 Computer Forensics and Hash Values
2013-10-18 Computer Forensics and Hash Values
2013-10-18 Computer Forensics and Hash Values
2013-10-18 Computer Forensics and Hash Values
2013-10-18 Computer Forensics and Hash Values
2013-10-18 Computer Forensics and Hash Values
2013-10-18 Computer Forensics and Hash Values
2013-10-18 Computer Forensics and Hash Values
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

2013-10-18 Computer Forensics and Hash Values

1,170

Published on

A presentation delivered to the New Hampshire Association of Criminal Defense Lawyers on October 18, 2013.

A presentation delivered to the New Hampshire Association of Criminal Defense Lawyers on October 18, 2013.

Published in: Technology
2 Comments
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total Views
1,170
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
11
Comments
2
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Computer Forensics: Images and Integrity Frederick S. Lane NHACDL Fall 2013 CLE Concord, NH 18 October 2013 www.FrederickLane.com www.ComputerForensicsDigest.com
  • 2. Background and Expertise • Attorney and Author of 7 Books • Computer Forensics Expert -- 15 years • Over 100 criminal cases • Lecturer on ComputerRelated Topics – 20+ years • Computer user (midframes, desktops, laptops) – 35+ years
  • 3. Lecture Overview • Not Your Mother’s Hash • The Role of Hash Values in Computer Forensics • The Growing Use of Hash Flags • P2P Investigations Using Hash Values
  • 4. Not Your Mother’s Hash • Cryptograhic Hash Values • Relatively Easy to Generate • Extremely Difficult to Determine Original Data from Hash Value • Extremely Difficult to Change Data without Changing Hash • Extremely Unlikely that Different Data Will Produce the Same Hash Value
  • 5. Types of Hash Alogirithms • Secure Hash Algorithm • Developed by NIST in 1995 • 40 characters long • Message Digest • Developed by Prof. Rivest in 1990 • 32 characters long • Photo DNA • Developed by Microsoft • Hash value based on histograms of multiple section of image
  • 6. Complex Explanation • The word DOG can be represented in different ways: • Binary: 010001000110111101100111 • Hexadecimal: 646f67 • A hash algorithm converts the hexadecimal value to a fixed-length hexadecimal string. • SHA-1: e49512524f47b4138d850c9d9d85972927281 da0 • MD5: 06d80eb0c50b49a509b49f2424e8c805
  • 7. Complex Explanation • Changing a single letter changes each value. • For instance, the word COG produces the following values: • Binary: 010000110110111101100111 • Hexadecimal: 436f67 • SHA-1: d3da816674b638d05caa672f60f381ff504e578c • MD5: 01e33197684afd628ccf82a5ae4fd6ad
  • 8. Simple Explanation Oatmeal-Raisin Cookies Oatmeal-Chocolate Chip Cookies
  • 9. Evidence Integrity • Acquisition Hashes • Creation of Mirror Images • Verification of Accuracy of Mirror Images • Use of “Known File Filter” • Hashkeeper • National Software Reference Library • NCMEC CVIP Database
  • 10. Growing Use of Hash Flags • Child Protection and Sexual Predator Act of 1998 • 2008: ISPs Agree to Block Access to Known Sources of CP and to Scan for NCMEC Hash Values • SAFE Act: Requires ISPs and OSPs to Turn Over Subscriber Info If Known CP Is Identified
  • 11. P2P Hash Values • Basic Operation of Peer-toPeer Networks • • • • Decentralized Distribution Gnutella and eDonkey Client Software Hash Values Associated with Each File
  • 12. Automated P2P Searches • Peer Spectre or Nordic Mule Scans for IP Addresses of Devices Offering to Share Known CP Files • IP Addresses Are Stored by TLO in Child Protection System • Officers Conduct “Undercover” Investigations by Reviewing Spreadsheets of Hits in CPS
  • 13. Growing Defense Concerns • No Independent Examination of Proprietary Software • Very Little Information Regarding TLO or CPS • Peer Spectre May Generate False Hits Due to Normal Operation of P2P Clients • Search Warrant Affidavits Fail to Mention Role of TLO or CPS
  • 14. Computer Forensics: Images and Integrity Frederick S. Lane NHACDL Fall 2013 CLE Concord, NH 18 October 2013 www.FrederickLane.com www.ComputerForensicsDigest.com

×