How do you say that hashing is not a unique ID for the content? Yes,
there are a finite number of possibilities for hash values. However,
are fingerprints and DNA patterns considered unique for the courts? You
bet. The probabilities involved in hashing are even stronger than DNA
and fingerprints.
Sure, you can say hashing is not unique, but it is the accepted method
for determining uniqueness of data and will continue to be until some
other process is invented.
Yes, there is a chain of custody which shows that you had control of the
data and that you know who had it at what point in time. But that does
not tell you what that person did with the data. Furthermore, it does
not help prove that data was not inadvertently changed by something
other than a human.
Greg Kelley, EnCE
Vestige Digital Investigations
Computer Forensics | Electronic Discovery | Corporate Surety
46 Public Square, Ste 220
Medina, OH 44256
(330)721-1205 x5432
(330)721-1206 Fax
http://www.vestigeltd.com
-----Original Message-----
From: Alvin Oga [mailto:alvin.sec@Virtual.Linux-Sec.net]
Sent: Thursday, March 24, 2005 10:35 AM
To: Greg Kelley
Cc: forensics@securityfocus.com
Subject: Re: Drive hashing-when is it *really* necessary?
hi ya
On Thu, Mar 24, 2005 at 09:55:06AM -0500, Greg Kelley wrote:
"What method did you use to verify the integrity of the data
captured?" "None, the OS does not allow one to write to the hard
drive"
anything can be made to do something it wasn't supposed to be doing
( esp sw or hw widgets )
The only way you can be ABSOLUTELY sure that you did not intentionally
or unintentionally change the data on the drives is by hashing them.
hashing is not a unique id for the content
If you are 100% positive that the evidence involved is not going to be
used in any court case, and you get the client and their attorney to
sign a document agreeing to this fact, then there is no need to hash.
Otherwise, I wouldn't even entertain the notion.
wouldn't there be a chain of evidence and lots of paperwork
signed by lots of people .. that they got the "data" from their other
trusted buddies ...
x> > this debate so please refrain from rehashing that topic. But what
x> > if we have a device which is built NOT to allow writing to the
x> > drive? Hardware write protectors are one example.
trivial to bypass ...
- disconnect the hw widget
- use some other bootable cdrom instead of knoppix
and magically data gets changed by somebody that didnt follow
the rules
and you can no longer guarantee nothing
c ya
alvin
Vestige, Ltd makes no representations about the suitability of the information
contained in the documents published in this e-mail. Vestige, Ltd intends for
the information and data contained in this e-mail to be accurate and reliable,
however, since the information and data have been compiled by Vestige, Ltd from
a variety of sources, it may include technical inaccuracies or typographical
errors and is provided 'as is.'
This information is provided without warranty. In no event shall Vestige, Ltd
be liable for any indirect or consequential damages resulting from use of this
information.
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
