I guess my question would be the method employed to hash evidence. If a
collision occurred during the hash of evidence, either a single file, or
a bit stream of a group of bits, and the resultant was an inaccurate
hash, what would the likelihood be of obtaining that same "collided"
hash during the verification process? I would submit that prior to
departing an investigation scene, that the investigator would perform a
verification hash prior to releasing evidence. If the acq and ver
hashes do not match, best practices dictates you reacquire the original
evidence.
r/Jim Butterworth, GCIA
Sr. Forensic Consultant
-----Original Message-----
From: Jerry Shenk [mailto:jshenk@decommunications.com]
Sent: Wednesday, November 10, 2004 1:17 PM
To: 'Ferrill, Rob'; forensics@securityfocus.com
Subject: RE: MD5 Collisions and Evidence Integrity
Haven't any collisions in MD5 hashes all been intentionally
contrived...I think this is very rare in actual practice. I don't think
this argument has even been attempted yet has it?
One solution would be to do an md5sum as well as an sha1sum. This issue
was brought up in the GCFA track in Orlando earlier this year. The
instructor (Rob Lee) talked about evidence not needing to be 100%
infallible proof. In any court case, there will be multiple issues to
support any single conclusion. It does seem that if we'd start doing
md5sum and sha1sum hashes that that precaution might help in a few cases
where some lawyer tries to prove that the md5sum isn't reliable.
-----Original Message-----
From: Ferrill, Rob [mailto:Rob.Ferrill@healthsouth.com]
Sent: Tuesday, November 09, 2004 2:44 PM
To: forensics@securityfocus.com
Subject: MD5 Collisions and Evidence Integrity
Has anyone stopped using MD5 for hashing evidence files since the
disclosure of collision issues at the Crypto 2004 conference? There was
some concern raised during a discussion this morning that this may not
be acceptable in court cases anymore to prove evidence integrity.
Thanks,
Rob
Confidentiality Notice: This e-mail communication and any attachments
may contain
confidential and privileged information for the use of the designated
recipients named above. If
you are not the intended recipient, you are hereby notified that you
have received this
communication in error and that any review, disclosure, dissemination,
distribution or
copying of it or its contents is prohibited. If you have received this
communication in
error, please notify me immediately by replying to this message and
deleting it from your
computer. Thank you.
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Note: The information contained in this message may be privileged and
confidential and thus protected from disclosure. If the reader of this
message is not the intended recipient, or an employee or agent responsible
for delivering this message to the intended recipient, you are hereby
notified that any dissemination, distribution or copying of this
communication is strictly prohibited. If you have received this
communication in error, please notify us immediately by replying to the
message and deleting it from your computer. Thank you.
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
