Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Drive hashing-when is it *really* necessary?

from [Trevor Odonnal] Network Security [Permanent Link]
Subject: RE: Drive hashing-when is it *really* necessary?
Date: Thu, 24 Mar 2005 11:43:06 -0700 
On a side note.....
 
Does anybody have specific data concerning the statistical reliability of 
hashes compared to DNA and fingerprinting? With references please.
 
Trevor O'Donnal
Network Security Analyst
Computer Forensics Investigator
Brigham Young University

________________________________

From: dave@superelite.net [mailto:dave@superelite.net]
Sent: Tue 3/22/2005 11:26 AM
To: forensics@securityfocus.com
Subject: Drive hashing-when is it *really* necessary?



 Sounds like a simple question for this list where the answer is
"always"- but please read on.

We run hashes on drives to verify that nothing was changed during the
acquisition process.  Which hash, MD-5, SHA-1, SHA-256 is not part of
this debate so please refrain from rehashing that topic.  But what if we
have a device which is built NOT to allow writing to the drive?
Hardware write protectors are one example.  Another could be an
operating system such as Knoppix that was built/configured from the
ground up to mount the drives only in read-only mode.  If such a tool
was used by an independent operator which had no motivation to alter the
data, how critical are hashes?

Why would someone want to do this?  How about if we had 500 hard drives
to go through and the client just wanted to get FAT info parsed to get
an idea of the files on the drives.  Bypassing an MD5 could save 2+
hours for each drive and allow just the 10 sec it takes to copy the FAT.
Obviously it's an imperfect approach but for a real world situation
where the client has limited funds, can it work?

I guess there is still the issue of ensuring that a bit wasn't
accidentally flipped by hardware during the copy.  What else?  Not to
trivialize the corrupt copy problem but a flipped bit isn't going to
cause an e-mail to appear where it wasn't before (unless it was in the
FAT).  Thoughts on that?

What I am looking for in the way of responses is a detailed, logical
analysis on what the true issues are.  I'm not looking for "this is a
bad thing, don't do it" or "if you gonna spend the money, spend the
money to do it right."   I would appreciate an analysis of what one
would say to a lawyer or jury about this.  I know this isn't the BEST
way to do things but what are the true flaws in this logic?  What would
you say if brought in by the opposing side to refute the validity of
this approach?

Thanks in advance.

Dave K.


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com




-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Drive hashing-when is it *really* necessary?, Trevor Odonnal
Next by Date:  Re: Drive hashing-when is it *really* necessary?, Alvin Oga
Previous by Thread:  Re: Drive hashing-when is it *really* necessary?, Alvin Oga
Next by Thread:  Re: Drive hashing-when is it *really* necessary?, Anders Thulin
Indexes:  [Date] [Thread] [Top] [All Lists]