Re: MD5 Collisions and Evidence Integrity

Hi Rob,

In most of the recent forensics studies I've seen presented, MD5 was still
used as sole hashing algorithm to prove integrity of the collected
evidence.  It's still the only supported hashing method by a number of
popular forensic investigation tools.  In some cases, forensic analysts
have moved from single hashing to mass hashing, using multiple algorithms
such as SHA-1 and MD5 together.  Tools are available which do this
automatically, but it's not difficult to script either.  It allows
evidence integrity to survive technical advances more efficiently.

I have not yet heard of evidence being rejected in a court case due to the
use of MD5.  However, it is reasonable to assume that judicial criticism
is not very far away now technical evidence and examples are available.

Cheers,
Maarten

--
Maarten Van Horenbeeck, GCIA <maarten@daemon.be>
http://www.daemon.be/maarten

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com