Digital Evidence Controls - PowerPoint PPT Presentation

1 / 10
About This Presentation
Title:

Digital Evidence Controls

Description:

goal is to produce a digital fingerprint unique to the data (file or entire disk ... hash, digest, checksum, signature, fingerprint ... – PowerPoint PPT presentation

Number of Views:73
Avg rating:3.0/5.0
Slides: 11
Provided by: gsco4
Category:

less

Transcript and Presenter's Notes

Title: Digital Evidence Controls


1
Digital Evidence Controls
  • concern digital evidence that is altered or lost
  • question Does digital evidence physically exist
    or it is just a representation of something?
  • US view digital evidence is physical evidence
  • forensic investigation of digital evidence
  • identify
  • collect
  • analyze
  • use it for re-construction

2
Computer Records (US view)
  • interpretation of computer records hearsay
    evidence, not admissible at trial, unless they
    fall into one of several exceptions
  • business record exception records of regularly
    conducted activity
  • 2 types of computer records
  • computer-generated data the system maintains for
    itself (e.g., log files) -- not generated
    directly by a user
  • computer-stored created and stored by a user

3
Authenticity of Computer Records
  • authenticity comes from
  • collecting evidence according to proper steps of
    evidence control
  • using established computer forensic tools
  • courts computer forensic investigators do not
    need to be subject matter experts on the tools
    they use
  • you do not need to know the inner workings, just
    the purpose and operation
  • for computer-stored records, it is difficult to
    prove that a specific person created the records

4
Digital Evidence Original vs. Other
  • best evidence rule to prove something about a
    document you need the original (the disk file)
  • what about a printout?
  • If data are stored in a computer or similar
    device, any printout or other output readable by
    sight, shown to reflect the data accurately, is
    an original.
  • what about a digital copy?
  • a copy is allowed when it is produced by the same
    impression as the original by mechanixal or
    electronic re-recording
  • so bit-stream copies are allowed

5
Handling Digital Evidence
  • goal in the lab maintain the integrity of
    digital evidence
  • for disk data, copy it with a bit-stream imaging
    tool
  • treat the subject drive as read-only (use a
    write-blocker hardware or software)
  • proper steps to verify the copy
  • write-block the original drive
  • MD5 hash of original
  • do a bit-stream image
  • MD5 hash of the image and compare

6
Obtaining a Digital Hash
  • goal is to produce a digital fingerprint unique
    to the data (file or entire disk drive)
  • hash, digest, checksum, signature, fingerprint
  • most common algorithm is the MD5 (Message Digest
    5)
  • mathematical algorithm that translates original
    data into a unique hexadecimal code value (hash
    value)
  • if a bit (or byte or anything) changes, it alters
    the digital hash
  • computationally difficult to find 2 files that
    have the same MD5 digital hash
  • computationally difficult to find a file that has
    a given MD5 digital hash

7
New Technology
  • newest digital signature method is the Secure
    Hashing Algorithm (SHA) see http//csrc.nist.gov/
    publications/fips/fips180-2/fips180-2.pdf
  • MD5 (1991) hashes a file of arbitrary length into
    a 128-bit value
  • SHA (1995) hashes a file of arbitrary length into
    a 160-bit value

8
Non-keyed vs. Keyed
  • MD5 and SHA are digital hashes with a non-keyed
    hash set they can identify known files, which
    have a known hash value under MD5 or SHA, even if
    the file name or file extension has been changed
  • alternative to a non-keyed hash is a keyed hash
    set, created by an encryption utilitys secret key

9
Relation to Encryption
  • encryption transforms data from a cleartext to
    ciphertext and back, given the right keys and the
    two texts should roughly correspond to each other
    in size encryption is two-way
  • hashing compiles a stream of data into a small
    digest and it is a one-way operation
  • for non-forensic purposes, hashes can be used to
    verify file integrity when downloading files
  • site publishes the MD5 hash you re-compute it on
    the downloaded file

10
Collisions
  • possibility that more than one input file can
    hash to the same MD5 hash value, in 128 bits (16
    bytes) collision
  • a 128-bit hash can have 3.4 X 1038 possible
    values (340,282,366,920,938,463,463,374,607,431,76
    8,211,456 possible hashes)
  • so finding a hash collision by randomly guessing
    is exceedingly unlikely (it is more likely that a
    million persons will guess all 6-49 numbers every
    week for a billion trillion years)
  • SHA-1 uses 160 bits, which produces an output
    space 4 billion times larger than that for MD5
  • SHA-512 uses 512 bits and has 1.34 X 10154
    possible values, far, far more than the number of
    hydrogen atoms in the universe
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Digital Evidence Controls" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!