# Chapter 8: On the Use of Hash Functions in. Computer Forensics

Save this PDF as:

Size: px
Start display at page:

Download "Chapter 8: On the Use of Hash Functions in. Computer Forensics"

## Transcription

1 Harald Baier Hash Functions in Forensics / WS 2011/2012 2/41 Chapter 8: On the Use of Hash Functions in Computer Forensics Harald Baier Hochschule Darmstadt, CASED WS 2011/2012 Harald Baier Hash Functions in Forensics / WS 2011/2012 1/41 Fuzzy Hashing

2 Harald Baier Hash Functions in Forensics / WS 2011/2012 4/41 Fuzzy Hashing Harald Baier Hash Functions in Forensics / WS 2011/2012 3/41 Use Case: Prosecution 1. Police and prosecutors confronted with different storage media: Hard disk drives, solid-state drives, USB sticks. Mobile phones, SIM cards. Digital cameras, digital camcorders, SD cards. CDs, DVDs. RAM (dumps) Amount of distrained data often exceeds 1 terabyte.

3 Harald Baier Hash Functions in Forensics / WS 2011/2012 6/41 Different views of 1 terabyte 1 terabyte of digital text is (approximately) equal to: 1. 1 trillion characters: 1 character = 1 byte million pages: 1 page = 5000 characters years of printing time: 20 sheets per minute million kg of paper: onesided printed. 5. Paper stack of 22 km height: bulk of 0.1 mm. Harald Baier Hash Functions in Forensics / WS 2011/2012 5/41 Finding relevant files resembles... Source: tu-harburg.de Source: beepworld.de

4 Harald Baier Hash Functions in Forensics / WS 2011/2012 8/41... or is it solved for suspect files? Harald Baier Hash Functions in Forensics / WS 2011/2012 7/41 Fuzzy Hashing

5 Harald Baier Hash Functions in Forensics / WS 2011/ /41 Definition and Security Applications 1. A hash function h is a function with two properties: Compression: h : {0, 1} {0, 1} n. Ease of computation: Computation of h(m) is fast in practice. 2. Notation: m is a document (e.g. a file, a device). h(m) its hash value or digest. 3. Sample security applications: Storage of passwords. Electronic signatures (MAC, asymmetric signatures). Computer forensics. Harald Baier Hash Functions in Forensics / WS 2011/2012 9/41 Hash Functions in Cryptography For use in cryptography, we have to impose further conditions: 1. Preimage Resistance: Let a hash value H {0, 1} n be given. It is infeasible in practice to find an input (i.e. a document m) with H = h(m). 2. Second Preimage Resistance: Let a document m {0, 1} be given. It is infeasible in practice to find a second document m with m m and h(m) = h(m ). 3. Collision Resistance: It is infeasible in practice to find any two documents m, m with m m and h(m) = h(m ).

6 Harald Baier Hash Functions in Forensics / WS 2011/ /41 Avalanche Effect 1. Let m and h(m) be given. If m is replaced by m, h(m ) behaves pseudo randomly. = No control over the output, if the input is changed. 2. Consequences: If only one bit in m is changed to get m, the two outputs h(m) and h(m ) look very different. Every bit in h(m ) changes with probability 50%, independently of the number of different bits in m. Harald Baier Hash Functions in Forensics / WS 2011/ /41 Sample Cryptographic Hash Functions Name MD5 SHA-1 SHA-256 SHA-512 RIPEMD-160 n Demo: 1. Computation of hash values using openssl. 2. Avalanche effect. 3. Performance.

7 Harald Baier Hash Functions in Forensics / WS 2011/ /41 Fuzzy Hashing Harald Baier Hash Functions in Forensics / WS 2011/ /41 Use Cases 1. Ensure authenticity and integrity during data acquisition. Relevant for both dead and live analysis. Hash values must be protected: Written down by hand in investigation notebook. Compute a digital signature over it. 2. Identify known files: Whitelisting: Known to be good files. Blacklisting: Known to be bad files. 3. Bloom filters to efficiently identify a large set of files. Relevant security property of the hash function: Second-preimage resistance.

8 Harald Baier Hash Functions in Forensics / WS 2011/ /41 Data Acquisition: Dead analysis 1. Investigation is performed on a copy. 2. Main goal of hashing: Preserve chain of custody. 3. Common approach for a storage medium: Compute hash value h1 over the whole original volume. Write hash value h1 down in physical logbook. Make a 1-to-1 copy of the volume using dd. Compute hash value h 2 over the copy. Write hash value h2 down in physical logbook. Work read-only on copy. To prove chain of custody, compute h 2 again and check, if h 1 = h 2 holds. Harald Baier Hash Functions in Forensics / WS 2011/ /41 Example: Save first partition of a HDD Chain of custody preserved \$ openssl dgst -sha1 /dev/hda1 SHA1(/dev/hda1)= c1e4449bfd504b60e85447afaa3cd100f7e59dad \$ dd if=/dev/hda1 of=image-hda1.dd bs=512 \$ openssl dgst -sha1 image-hda1.dd SHA1(image-hda1.dd)= c1e4449bfd504b60e85447afaa3cd100f7e59dad [INVESTIGATE read-only image-hda1.dd] \$ openssl dgst -sha1 image-hda1.dd SHA1(image-hda1.dd)= c1e4449bfd504b60e85447afaa3cd100f7e59dad

9 Harald Baier Hash Functions in Forensics / WS 2011/ /41 Example: Save first partition of a HDD Chain of custody destroyed \$ openssl dgst -sha1 /dev/hda1 SHA1(/dev/hda1)= c1e4449bfd504b60e85447afaa3cd100f7e59dad \$ dd if=/dev/hda1 of=image-hda1.dd bs=512 \$ openssl dgst -sha1 image-hda1.dd SHA1(image-hda1.dd)= c1e4449bfd504b60e85447afaa3cd100f7e59dad [INVESTIGATE read-only image-hda1.dd] \$ openssl dgst -sha1 image-hda1.dd SHA1(image-hda1.dd)= 568c68d97baf f509343b8b02d324e3d8 Harald Baier Hash Functions in Forensics / WS 2011/ /41 Hash Functions in Data Acquisition: Assessment 1. Key problem: If original and copy differ by at least 1 bit, the chain of custody is broken. 2. Solutions: Compute hashes over smaller pieces of the input (e.g. file system blocks). This leads to segment hashes. Perform a binary search over original and copy to find differences.

10 Harald Baier Hash Functions in Forensics / WS 2011/ /41 Whitelisting 1. Underlying Idea: Generate a database of known to be good files. Let G denote this set. Identify automatically an unsuspicious file on base of its hash value, which matches a fingerprint of a file in G. Exclude a known to be good file from further investigation. Significant reduction of irrelevant data. 2. Examples of unsuspicious files: System files of operating systems. Well-known benign applications like browsers, editors, Widespread database: Reference Data Set (RDS) of the National Software Reference Library (NSRL), maintained by NIST Harald Baier Hash Functions in Forensics / WS 2011/ /41 NSRL-RDS 1. Website 2. Current download version: RDS 2.34 from October Original software is kept to ensure court worthiness. 4. Propagated via CD. Download of iso-images from website via http. 5. RDS 2.34 comprises four iso-images of about 1.2 GB size. 6. Contains files and unique SHA-1 values (due to duplications across different software distributions) 7. Entries are arranged according to the SHA-1 values.

11 Harald Baier Hash Functions in Forensics / WS 2011/ /41 NSRL-RDS Sample entries \$ less NSRLFile.txt "SHA-1","MD5","CRC32","FileName","FileSize","ProductCode","OpSystemCode","SpecialCode" " EDD92C4E3D2E F849","392126E756571EBF112CB1C1CDEDF926","EBD105A0","I05002T2.PFB",98865 " DA6391F7F5D2F7FCCF36CEBDA60C6EA02","0E53C14A3E48D94FF596A B492","AA6A7B16","00br2026.gif",2226, "000000A9E47BD385A0A3685AA12C2DB6FD727A20","176308F27DD52890F013A3FD80F92E51","D749B562","femvo523.wav",42748 " AFA836117B1B572FAE4713F200567","9B3702B0E788C6D FE3C9786A","05E566DF","J JPG",32768 " AFA836117B1B572FAE4713F200567","9B3702B0E788C6D FE3C9786A","05E566DF","J JPG",32768 " AFA836117B1B572FAE4713F200567","9B3702B0E788C6D FE3C9786A","05E566DF","J JPG",32768 " AFA836117B1B572FAE4713F200567","9B3702B0E788C6D FE3C9786A","05E566DF","J JPG",32768 " AFA836117B1B572FAE4713F200567","9B3702B0E788C6D FE3C9786A","05E566DF","J JPG",32768 " AFA836117B1B572FAE4713F200567","9B3702B0E788C6D FE3C9786A","05E566DF","J JPG",32768 "SHA-1","MD5","CRC32","FileName","FileSize","ProductCode",\\ "OpSystemCode","SpecialCode" " EDD92C4E3D2E F849",\\ "392126E756571EBF112CB1C1CDEDF926",\\ "EBD105A0","I05002T2.PFB",98865,3095,"WIN","" Harald Baier Hash Functions in Forensics / WS 2011/ /41 Whitelisting: Anti-detection 1. Task: Find a suspicious file s with h(s) = h(g): Attacker has to solve the second preimage problem for some g G. As of today hardly possible (even for MD5). If RDS is used, both SHA-1 and MD5 preimages have to be found. 2. Attack the whitelist: Breach integrity and authenticity of whitelist. Example: Attack the distribution channel. If RDS is downloaded via http, spoofing is possible.

12 Harald Baier Hash Functions in Forensics / WS 2011/ /41 Whitelisting: Assessment 1. General assessment: Well-known and established process in computer forensics. If database is trusted, no false positives (positive = benign). 2. Possible bottleneck: Size of database. Size of database is increasing. Currently RDS is about 6 gigabyte. Harald Baier Hash Functions in Forensics / WS 2011/ /41 Blacklisting 1. Underlying idea: Generate a database of known to be bad files. Let B denote this set. Find automatically a suspicious file on base of its fingerprint, which matches a fingerprint of a file in B. 2. Sample suspect files: Malware. Encryption or steganographic software. Corporate secrets. IPR protected files. Child pornography.

13 Harald Baier Hash Functions in Forensics / WS 2011/ /41 Blacklisting: Evaluation 1. Anti-detection approach: Let a suspicious file b B be given. Change some (irrelevant) bit of b to get b. Consequence: h(b ) is very different from h(b). b is not detected automatically. 2. Core problem: Cryptographic requirements of a hash function and forensic goals are complementary. A suspicious file similar to an element of B is not detected. 3. Fragments of elements of B are not identified, too. Harald Baier Hash Functions in Forensics / WS 2011/ /41 Fuzzy Hashing

14 Harald Baier Hash Functions in Forensics / WS 2011/ /41 Goals 1. Overcome drawbacks of cryptographic hash functions in the context of computer forensics. 2. Main drawbacks are: Data acquisition: Integrity of copy is destroyed, if some bits change. White-/Blacklisting: Suspect files similar to known to be bad files are not detected. Fragments are not detected (due to deletion, fragmentation). 3. Currently known approaches: Segment hashes (also called block hashes): Tool dcfldd. Context-triggered piecewise hashes: Tool ssdeep. Similarity digests: Tool sdhash. Harald Baier Hash Functions in Forensics / WS 2011/ /41 Segment Hashes 1. Underlying idea: Split input data (volume, file) in blocks of fixed length. Compute for each segment its cryptographic hash. Lookup in hash database for matches. 2. Original aim: Improve integrity of storage media.

15 Harald Baier Hash Functions in Forensics / WS 2011/ /41 Segment Hashes: Example from NIST 1. Sample tool of Nicholas Harbour (since 2002): dcfldd: An extension of dd. Department of Defense Computer Forensics Laboratory. Provides MD5, SHA-1, SHA-2 family. 2. Evaluation by NIST (Douglas White, 2008): Hashing of File Blocks: When Exact Matches are not Useful. NIST worked on Windows 2000 and XP OS files. Main result: File-based data reduction leaves an average 30% of disk space for human investigation. Incorporating block hashes reduces this to an average of 15%. Assist in recognising wiped media. Harald Baier Hash Functions in Forensics / WS 2011/ /41 Example: Save first partition of a HDD Chain of custody preserved \$ dcfldd if=/dev/hda1 of=image-hda1.dd bs=512 hashwindow=4096 hash=sha : da0bd2b16c7cd5acb5695e9d81fb6d832cba85312d87e08d0c675e41b608de : 281f4b8ac2dcda0f3fd9a0642a694fedf829d7567a531b1cfc8925f94eebe7a : 1c05a3c7251b666c1ec4a2b689e25f95a92a311613ce685fdf7cbf e : 6c9c17f271f18587bcccf8f9c6154b4bff764664a3eb8ddf c5c4698b : c61cd658e73450dfb0dfc9a1d83cdbddd162d9194d81f27f0516bb107280e841 [REMOVED] \$ dcfldd if=image-hda1.dd of=/dev/null bs=512 hashwindow=4096 hash=sha : da0bd2b16c7cd5acb5695e9d81fb6d832cba85312d87e08d0c675e41b608de : 281f4b8ac2dcda0f3fd9a0642a694fedf829d7567a531b1cfc8925f94eebe7a : 1c05a3c7251b666c1ec4a2b689e25f95a92a311613ce685fdf7cbf e : 6c9c17f271f18587bcccf8f9c6154b4bff764664a3eb8ddf c5c4698b : c61cd658e73450dfb0dfc9a1d83cdbddd162d9194d81f27f0516bb107280e841 [REMOVED]

16 Harald Baier Hash Functions in Forensics / WS 2011/ /41 Example: Save first partition of a HDD Chain of custody partly destroyed \$ dcfldd if=/dev/hda1 of=image-hda1.dd bs=512 hashwindow=4096 hash=sha : da0bd2b16c7cd5acb5695e9d81fb6d832cba85312d87e08d0c675e41b608de : 281f4b8ac2dcda0f3fd9a0642a694fedf829d7567a531b1cfc8925f94eebe7a : 1c05a3c7251b666c1ec4a2b689e25f95a92a311613ce685fdf7cbf e : 6c9c17f271f18587bcccf8f9c6154b4bff764664a3eb8ddf c5c4698b : c61cd658e73450dfb0dfc9a1d83cdbddd162d9194d81f27f0516bb107280e841 [REMOVED] \$ dcfldd if=image-hda1.dd of=/dev/null bs=512 hashwindow=4096 hash=sha : da0bd2b16c7cd5acb5695e9d81fb6d832cba85312d87e08d0c675e41b608de : 281f4b8ac2dcda0f3fd9a0642a694fedf829d7567a531b1cfc8925f94eebe7a : 1c05a3c7251b666c1ec4a2b689e25f95a92a311613ce685fdf7cbf e : f361bc439d0fc4215eba5523cba663c5371d47c358d68b a29e972e : c61cd658e73450dfb0dfc9a1d83cdbddd162d9194d81f27f0516bb107280e841 [REMOVED] Harald Baier Hash Functions in Forensics / WS 2011/ /41 Segment Hashes: Evaluation 1. Anti-Blacklisting is very easy: Introduce an irrelevant byte in the first sector. All segment hashes differ from the stored segment hashes. Modified suspect file is not detected. Demo. 2. A good technique for whitelisting (see NIST results). 3. Size of segment hash database is large: 4096 byte block size, SHA-1. size of hash database size of raw data = = = 1 terabyte of raw data yields a 5 gigabyte hash database. 4. Hash database depends on the hashwindow size.

17 Harald Baier Hash Functions in Forensics / WS 2011/ /41 Context Triggered Piecewise Hashes 1. Underlying idea: Split input data (volume, file) in blocks of variable length. The end points of the blocks are determined by a rolling hash: Its value only depends on the current context. A window (e.g. of size 7 bytes) slides over the input. Context = Bytes of input data in the current window. If rolling hash matches a trigger value, an end point is set. Rolling hash function is assumed to be pseudo random: P F. Compute for every segment its cryptographic hash. The sequence of these segment hashes is the context triggered piecewise hash (CTPH) of the input. Lookup in hash database for matches. Harald Baier Hash Functions in Forensics / WS 2011/ /41 Context Triggered Piecewise Hashes 1. Originally proposed for spam detection (spamsum by Andrew Tridgell, 2002) 2. Ported to forensics by Jesse Kornblum, 2006: ssdeep.

18 Harald Baier Hash Functions in Forensics / WS 2011/ /41 Piecewise Hashes: The algorithm Harald Baier Hash Functions in Forensics / WS 2011/ /41 CTPH: A sample tool 1. ssdeep (based on spamsum). 2. Window size is CTPH is a sequence of printable characters: Only the least significant 6 bits (LS6B) of a segment hash are considered. LS6B are encoded base ssdeep decides about a match: On base of the edit distance (changing, inserting,... characters) of two CTPHs. 5. Demo. Edit distance is rescaled to a percentage match score.

19 Harald Baier Hash Functions in Forensics / WS 2011/ /41 CTPH: Sample Research Questions 1. Rolling hash: Shall be efficient and pseudo random. Current implementation is fast, but not pseudo random. Task: Find a slightly slower, but pseudo random rolling hash. 2. Fragment detection: Kornblum s approach fails, if fragments are much smaller than the original file. Task: Find a different approach. 3. Edit distance: Kornblum s approach addresses text files (due to spam detection). Task: Find a more general approach, which also addresses images, videos,... Harald Baier Hash Functions in Forensics / WS 2011/ /41 Fuzzy Hashing Fuzzy Hashing

20 Harald Baier Hash Functions in Forensics / WS 2011/ /41 Vision Fuzzy Hashing 1. Find a similarity preserving hash function. Fuzzy hash function, denoted by f. m and m are similar = f(m) and f(m ) are similar, too. 2. Find a general (forensic) metric to measure similarity: Let d : {0, 1} {0, 1} R + 0 be such a metric. d shall be applicable to txt, doc, odt, jpg, bmp, devices, f is a function with d(m 1, m 2 ) d(f(m 1 ), f(m 2 )). Harald Baier Hash Functions in Forensics / WS 2011/ /41 Fuzzy Hashing Fuzzy Hashing: Applications 1. Forensics (on the file level): Detect similar files. Blacklisting: Detect manipulated suspicious files. Find fragments of suspicious data. Whitelisting: Find changed unsuspicious files. 2. Biometrics: Template protection. 3. Malware: Detect obfuscated malware (e.g. metamorphic malware). 4. Junk mail detection.

21 Fuzzy Hashing Questions? Harald Baier Hash Functions in Forensics / WS 2011/ /41

### Chapter 8 Hash functions in digital forensics Page 129

Page 129 In this chapter we describe the role of hash functions in digital forensics. Essentially hash functions are used for two main purposes: first, authenticity and integrity of digital traces are

### Security Aspects of Piecewise Hashing in Computer Forensics

Security Aspects of Piecewise Hashing in Computer Forensics Harald Baier Center for Advanced Security Research Darmstadt and Hochschule Darmstadt 64295 Darmstadt, Germany harald.baier@cased.de Frank Breitinger

### Fuzzy Hashing for Digital Forensic Investigators Dustin Hurlbut - AccessData January 9, 2009

Fuzzy Hashing for Digital Forensic Investigators Dustin Hurlbut - AccessData January 9, 2009 Abstract Fuzzy hashing allows the investigator to focus on potentially incriminating documents that may not

### How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and non-repudiation. How to obtain a digital certificate. Installing

### MSc Computer Security and Forensics. Examinations for 2009-2010 / Semester 1

MSc Computer Security and Forensics Cohort: MCSF/09B/PT Examinations for 2009-2010 / Semester 1 MODULE: COMPUTER FORENSICS & CYBERCRIME MODULE CODE: SECU5101 Duration: 2 Hours Instructions to Candidates:

### 2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

Acquisition and Tools COMP 2555: Principles of Computer Forensics Autumn 2014 http://www.cs.du.edu/2555 1 Planning Your Investigation! A basic investigation plan should include the following activities:!

### Lecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation

Computer Forensics and Digital Investigation Computer Security EDA263, lecture 14 Ulf Larson Lecture outline! Introduction to Computer Forensics! Digital investigation! Conducting a Digital Crime Scene

### Digital Forensics Tutorials Acquiring an Image with FTK Imager

Digital Forensics Tutorials Acquiring an Image with FTK Imager Explanation Section Digital Forensics Definition The use of scientifically derived and proven methods toward the preservation, collection,

### Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Network Security (2) CPSC 441 Department of Computer Science University of Calgary 1 Friends and enemies: Alice, Bob, Trudy well-known in network security world Bob, Alice (lovers!) want to communicate

### Introduction to Computer Security

Introduction to Computer Security Hash Functions and Digital Signatures Pavel Laskov Wilhelm Schickard Institute for Computer Science Integrity objective in a wide sense Reliability Transmission errors

### Digital Evidence Search Kit

Digital Evidence Search Kit K.P. Chow, C.F. Chong, K.Y. Lai, L.C.K. Hui, K. H. Pun, W.W. Tsang, H.W. Chan Center for Information Security and Cryptography Department of Computer Science The University

### National District Attorneys Association National Center for Prosecution of Child Abuse. Computer Forensics for Prosecutors

National District Attorneys Association National Center for Prosecution of Child Abuse Computer Forensics for Prosecutors February 18-19, 2013 Portland, Oregon Detective Michael Smith Computer Crimes &

### Digital Forensics Tutorials Acquiring an Image with Kali dcfldd

Digital Forensics Tutorials Acquiring an Image with Kali dcfldd Explanation Section Disk Imaging Definition Disk images are used to transfer a hard drive s contents for various reasons. A disk image can

### Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography What Is Steganography? Steganography Process of hiding the existence of the data within another file Example:

### Hash Functions. Integrity checks

Hash Functions EJ Jung slide 1 Integrity checks Integrity vs. Confidentiality! Integrity: attacker cannot tamper with message! Encryption may not guarantee integrity! Intuition: attacker may able to modify

### SecureDoc Disk Encryption Cryptographic Engine

SecureDoc Disk Encryption Cryptographic Engine FIPS 140-2 Non-Proprietary Security Policy Abstract: This document specifies Security Policy enforced by SecureDoc Cryptographic Engine compliant with the

### HASH CODE BASED SECURITY IN CLOUD COMPUTING

ABSTRACT HASH CODE BASED SECURITY IN CLOUD COMPUTING Kaleem Ur Rehman M.Tech student (CSE), College of Engineering, TMU Moradabad (India) The Hash functions describe as a phenomenon of information security

### Cryptographic Hash Functions Message Authentication Digital Signatures

Cryptographic Hash Functions Message Authentication Digital Signatures Abstract We will discuss Cryptographic hash functions Message authentication codes HMAC and CBC-MAC Digital signatures 2 Encryption/Decryption

### Electronic Mail Security. Email Security. email is one of the most widely used and regarded network services currently message contents are not secure

Electronic Mail Security CSCI 454/554 Email Security email is one of the most widely used and regarded network services currently message contents are not secure may be inspected either in transit or by

### Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Network Security Gaurav Naik Gus Anderson, Philadelphia, PA Lectures on Network Security Feb 12 (Today!): Public Key Crypto, Hash Functions, Digital Signatures, and the Public Key Infrastructure Feb 14:

### Chapter 8 Security. IC322 Fall 2014. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Chapter 8 Security IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross, All

### USING ENCRYPTION TO PROTECT SENSITIVE INFORMATION Commonwealth Office of Technology Security Month Seminars October 29, 2013

USING ENCRYPTION TO PROTECT SENSITIVE INFORMATION Commonwealth Office of Technology Security Month Seminars Alternate Title? Boy, am I surprised. The Entrust guy who has mentioned PKI during every Security

### DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE Vahidin Đaltur, Kemal Hajdarević, Internacional Burch University, Faculty of Information Technlogy 71000 Sarajevo, Bosnia

### Chapter 7: Network security

Chapter 7: Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice: application layer: secure e-mail transport

### Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

### Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

### Practical computer security

Practical computer security Željko Vrba University of Oslo (includes content by: Vera Goebel, Matija Pužar and Andrew Tannenbaum) What is computer security? Very broad term File system security Network

### Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Network Security [2] Public Key Encryption Also used in message authentication & key distribution Based on mathematical algorithms, not only on operations over bit patterns (as conventional) => much overhead

### Hash Function JH and the NIST SHA3 Hash Competition

Hash Function JH and the NIST SHA3 Hash Competition Hongjun Wu Nanyang Technological University Presented at ACNS 2012 1 Introduction to Hash Function Hash Function Design Basics Hash function JH Design

### Practice Questions. CS161 Computer Security, Fall 2008

Practice Questions CS161 Computer Security, Fall 2008 Name Email address Score % / 100 % Please do not forget to fill up your name, email in the box in the midterm exam you can skip this here. These practice

### winhex Disk Editor, RAM Editor PRESENTED BY: OMAR ZYADAT and LOAI HATTAR

winhex Disk Editor, RAM Editor PRESENTED BY: OMAR ZYADAT and LOAI HATTAR Supervised by : Dr. Lo'ai Tawalbeh New York Institute of Technology (NYIT)-Jordan X-Ways Software Technology AG is a stock corporation

### anonymous secure decentralized SMS stealthtext transactions

anonymous secure decentralized SMS stealthtext transactions WHITEPAPER STATE OF THE ART 2/8 WHAT IS STEALTHTEXT? stealthtext is a way to send stealthcoin privately and securely using SMS texting. stealthtext

### Survey of Disk Image Storage Formats

Survey of Disk Image Storage Formats Version 1.0 Common Digital Evidence Storage Format Working Group Digital Forensic Research Workshop September 1, 2006 Digital data that could be used as evidence are

### Significance of Hash Value Generation in Digital Forensic: A Case Study

International Journal of Engineering Research and Development e-issn : 2278-067X, p-issn : 2278-800X, www.ijerd.com Volume 2, Issue 5 (July 2012), PP. 64-70 Significance of Hash Value Generation in Digital

### ERNW Newsletter 29 / November 2009

ERNW Newsletter 29 / November 2009 Dear Partners and Colleagues, Welcome to the ERNW Newsletter no. 29 covering the topic: Data Leakage Prevention A Practical Evaluation Version 1.0 from 19th of november

### Secure USB Flash Drive. Biometric & Professional Drives

Secure USB Flash Drive Biometric & Professional Drives I. CONTENTS II. INTRODUCTION... 2 OVERVIEW... 2 COPYRIGHTS AND TRADEMARKS... 2 III. SECURE FLASH DRIVE... 3 DESCRIPTION... 3 IV. MODULES OF SECURE

### Digital Forensics. Tom Pigg Executive Director Tennessee CSEC

Digital Forensics Tom Pigg Executive Director Tennessee CSEC Definitions Digital forensics Involves obtaining and analyzing digital information as evidence in civil, criminal, or administrative cases Analyze

### Cryptography Lecture 8. Digital signatures, hash functions

Cryptography Lecture 8 Digital signatures, hash functions A Message Authentication Code is what you get from symmetric cryptography A MAC is used to prevent Eve from creating a new message and inserting

### Digital Forensics. Larry Daniel

Digital Forensics Larry Daniel Introduction A recent research report from The Yankee Group found that 67.6 percent of US households in 2002 contained at least one PC The investigators foresee three-quarters

### Forensic Imaging and Artifacts analysis of Linux & Mac (EXT & HFS+)

Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative

### Authentication requirement Authentication function MAC Hash function Security of

UNIT 3 AUTHENTICATION Authentication requirement Authentication function MAC Hash function Security of hash function and MAC SHA HMAC CMAC Digital signature and authentication protocols DSS Slides Courtesy

### FIPS 140 2 Non Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series USB Flash Drive

FIPS 140 2 Non Proprietary Security Policy Kingston Technology Company, Inc. DataTraveler DT4000 G2 Series USB Flash Drive Document Version 1.8 December 3, 2014 Document Version 1.8 Kingston Technology

### Project: Simulated Encrypted File System (SEFS)

Project: Simulated Encrypted File System (SEFS) Omar Chowdhury Fall 2015 CS526: Information Security 1 Motivation Traditionally files are stored in the disk in plaintext. If the disk gets stolen by a perpetrator,

### Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT

Part I Contents Part I Introduction to Information Security Definition of Crypto Cryptographic Objectives Security Threats and Attacks The process Security Security Services Cryptography Cryptography (code

### Theoretical Aspects of Storage Systems Autumn 2009

Theoretical Aspects of Storage Systems Autumn 2009 Chapter 3: Data Deduplication André Brinkmann News Outline Data Deduplication Compare-by-hash strategies Delta-encoding based strategies Measurements

### 1.2 Using the GPG Gen key Command

Creating Your Personal Key Pair GPG uses public key cryptography for encrypting and signing messages. Public key cryptography involves your public key which is distributed to the public and is used to

### Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Introduction to Cryptography What is cryptography?

### Live View. A New View On Forensic Imaging. Matthiew Morin Champlain College

Live View A New View On Forensic Imaging Matthiew Morin Champlain College Morin 1 Executive Summary The main purpose of this paper is to provide an analysis of the forensic imaging tool known as Live View.

### Do-It-Yourself Guide to Storage Forensics. Richard Austin, CISSP Knowledge Transfer

Do-It-Yourself Guide to Storage Forensics Richard Austin, CISSP Knowledge Transfer SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individuals

### SkyRecon Cryptographic Module (SCM)

SkyRecon Cryptographic Module (SCM) FIPS 140-2 Documentation: Security Policy Abstract This document specifies the security policy for the SkyRecon Cryptographic Module (SCM) as described in FIPS PUB 140-2.

### Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers

Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers Brian Carrier Research Scientist @stake Abstract This paper uses the theory of abstraction layers to describe the purpose

SSL Protect your users, start with yourself Kulsysmn 14 december 2006 Philip Brusten Overview Introduction Cryptographic algorithms Secure Socket Layer Certificate signing service

### TH3. Data storage. http://www.bbc.co.uk/schools/gcsebitesize/ict/

TH3. Data storage http://www.bbc.co.uk/schools/gcsebitesize/ict/ A computer uses two types of storage. A main store consisting of ROM and RAM, and backing stores which can be internal, eg hard disk, or

### Secure Network Communications FIPS 140 2 Non Proprietary Security Policy

Secure Network Communications FIPS 140 2 Non Proprietary Security Policy 21 June 2010 Table of Contents Introduction Module Specification Ports and Interfaces Approved Algorithms Test Environment Roles

### Overview. SSL Cryptography Overview CHAPTER 1

CHAPTER 1 Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. The features in this chapter apply to IPv4 and IPv6 unless otherwise noted. Secure

### Lecture 7: Hashing III: Open Addressing

Lecture 7: Hashing III: Open Addressing Lecture Overview Open Addressing, Probing Strategies Uniform Hashing, Analysis Cryptographic Hashing Readings CLRS Chapter.4 (and.3.3 and.5 if interested) Open Addressing

### Fixity Checks: Checksums, Message Digests and Digital Signatures Audrey Novak, ILTS Digital Preservation Committee November 2006

Fixity Checks: Checksums, Message Digests and Digital Signatures Audrey Novak, ILTS Digital Preservation Committee November 2006 Introduction: Fixity, in preservation terms, means that the digital object

### Computer Forensics using Open Source Tools

Computer Forensics using Open Source Tools COMP 5350/6350 Digital Forensics Professor: Dr. Anthony Skjellum TA: Ananya Ravipati Presenter: Rodrigo Sardinas Overview Use case explanation Useful Linux Commands

### What is Web Security? Motivation

brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web

### Cryptography and Network Security Chapter 11

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 11 Cryptographic Hash Functions Each of the messages, like each

### Network Security. HIT Shimrit Tzur-David

Network Security HIT Shimrit Tzur-David 1 Goals: 2 Network Security Understand principles of network security: cryptography and its many uses beyond confidentiality authentication message integrity key

### Message Authentication Codes

2 MAC Message Authentication Codes : and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l08, Steve/Courses/2013/s2/css322/lectures/mac.tex,

### CS 393 Network Security. Nasir Memon Polytechnic University Module 11 Secure Email

CS 393 Network Security Nasir Memon Polytechnic University Module 11 Secure Email Course Logistics HW 5 due Thursday Graded exams returned and discussed. Read Chapter 5 of text 4/2/02 Module 11 - Secure

### Chapter 6 Electronic Mail Security

Cryptography and Network Security Chapter 6 Electronic Mail Security Lectured by Nguyễn Đức Thái Outline Pretty Good Privacy S/MIME 2 Electronic Mail Security In virtually all distributed environments,

### CA DLP. Stored Data Integration Guide. Release 14.0. 3rd Edition

CA DLP Stored Data Integration Guide Release 14.0 3rd Edition This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation

### Presentation on Black Hat Europe 2003 Conference. Security Analysis of Microsoft Encrypting File System (EFS) http://www.elcomsoft.

Presentation on Black Hat Europe 2003 Conference Security Analysis of Microsoft Encrypting File System (EFS) Microsoft Encrypting File System Encrypting File File System System (EFS) (EFS) is is a a new

### A Standards-based Approach to IP Protection for HDLs

A Standards-based Approach to IP Protection for HDLs John Shields Staff Engineer, Modelsim Overview Introduction A Brief Status First Look at The Flow Encryption Technology Concepts Key Management Second

### CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

### Capturing a Forensic Image. By Justin C. Klein Keane 12 February, 2013

Capturing a Forensic Image By Justin C. Klein Keane 12 February, 2013 Before you Begin The first step in capturing a forensic image is making an initial determination as to the

### Design and Analysis of Methods for Signing Electronic Documents Using Mobile Phones

Design and Analysis of Methods for Signing Electronic Documents Using Mobile Phones Pramote Kuacharoen School of Applied Statistics National Institute of Development Administration 118 Serithai Rd. Bangkapi,

### Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com A number of devices are running Linux due to its flexibility and open source nature. This has made Linux platform

### Randomized Hashing for Digital Signatures

NIST Special Publication 800-106 Randomized Hashing for Digital Signatures Quynh Dang Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y February 2009 U.S. Department

### DRAFT Standard Statement Encryption

DRAFT Standard Statement Encryption Title: Encryption Standard Document Number: SS-70-006 Effective Date: x/x/2010 Published by: Department of Information Systems 1. Purpose Sensitive information held

### What is network security?

Network security Network Security Srinidhi Varadarajan Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice: application

### Checksums, your best friends, for security

Published in Linux for You, August 2008 issue. - - - - - - - - - - - - - - - - Checksums, your best friends, for security S. Parthasarathy drpartha@gmail.com Imagine that you write an electronic cheque

### One-Way Encryption and Message Authentication

One-Way Encryption and Message Authentication Cryptographic Hash Functions Johannes Mittmann mittmann@in.tum.de Zentrum Mathematik Technische Universität München (TUM) 3 rd Joint Advanced Student School

### Message Authentication

Message Authentication message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution) will consider the

### Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Network Security Abusayeed Saifullah CS 5600 Computer Networks These slides are adapted from Kurose and Ross 8-1 Public Key Cryptography symmetric key crypto v requires sender, receiver know shared secret

### FortKnox Personal Firewall

FortKnox Personal Firewall User Manual Document version 1.4 EN ( 15. 9. 2009 ) Copyright (c) 2007-2009 NETGATE Technologies s.r.o. All rights reserved. This product uses compression library zlib Copyright

### Availability Digest. www.availabilitydigest.com. Data Deduplication February 2011

the Availability Digest Data Deduplication February 2011 What is Data Deduplication? Data deduplication is a technology that can reduce disk storage-capacity requirements and replication bandwidth requirements

### TIPS IN PREVENTING INFORMATION LEAKAGE

TIPS IN PREVENTING INFORMATION LEAKAGE 1 Presented by Christina Keing and Frankie Fu Information Security Section (ISS), ITSC 5 Sept 2008 AIMS 2 AGENDA Recent incidents What information to protect? How

### Network Security. Task 1 Security Measures

Task 1 Security Measures Connecting your computer to a network, particularly the Internet, can put your computer and your data at risk. It is important, therefore, that you take some steps to secure your

### Establishing a Mechanism for Maintaining File Integrity within the Data Archive

Establishing a Mechanism for Maintaining File Integrity within the Data Archive Thomas C. Stein, Edward A. Guinness, Susan H. Slavney Earth and Planetary Sciences, Washington University, St. Louis, MO,

### Chapter 15: Security

Chapter 15: Security Chapter 15: Security The Security Problem Program Threats System and Network Threats Cryptography as a Security Tool User Authentication Implementing Security Defenses Firewalling

### Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Cryptosystems Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K. C= E(M, K), Bob sends C Alice receives C, M=D(C,K) Use the same key to decrypt. Public

### Digital forensic analysis aims to reconstruct

Hashing and Data Fingerprinting in Digital Forensics Hashing is a primary, yet underappreciated, tool in digital forensic investigations. Recent R&D has demonstrated that, with clever design, we can construct

### www.vmpcrypt.com User s manual Table of content

www.vmpcrypt.com User s manual Table of content 1. INTRODUCTION... 3 2. INSTALLATION OF VMPCRYPT... 3 3. GENERAL IDEA OF CRYPTOGRAPHY AND CRITICAL ROLE OF KEY... 3 4. ENCRYPTION OF FILES AND FOLDERS...

### An Introduction to Cryptography as Applied to the Smart Grid

An Introduction to Cryptography as Applied to the Smart Grid Jacques Benoit, Cooper Power Systems Western Power Delivery Automation Conference Spokane, Washington March 2011 Agenda > Introduction > Symmetric

### Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition Chapter 4 Current Computer Forensics Tools Objectives Understand how to identify needs for computer forensics tools Evaluate the requirements

### Symantec Corporation Symantec Enterprise Vault Cryptographic Module Software Version: 1.0.0.2

Symantec Corporation Symantec Enterprise Vault Cryptographic Module Software Version: 1.0.0.2 FIPS 140 2 Non Proprietary Security Policy FIPS Security Level: 1 Document Version: 1.1 Prepared for: Prepared

### Designing a Secure Client-Server System Master of Science Thesis in the Programme Software Engineering & Technology

Designing a Secure Client-Server System Master of Science Thesis in the Programme Software Engineering & Technology FREDRIK ANDERSSON Department of Computer Science and Engineering CHALMERS UNIVERSITY

### AN INVESTIGATION INTO COMPUTER FORENSIC TOOLS

AN INVESTIGATION INTO COMPUTER FORENSIC TOOLS K.K. Arthur 1 H.S. Venter 2 Information and Computer Security Architectures (ICSA) Research Group University of Pretoria Pretoria Department of Computer Science

### Lecture 9: Application of Cryptography

Lecture topics Cryptography basics Using SSL to secure communication links in J2EE programs Programmatic use of cryptography in Java Cryptography basics Encryption Transformation of data into a form that

### Where is computer forensics used?

What is computer forensics? The preservation, recovery, analysis and reporting of digital artifacts including information stored on computers, storage media (such as a hard disk or CD-ROM), an electronic

### Introduction to Network Security Comptia Security+ Exam. Computer Forensics. Evidence. Domain 5 Computer Forensics

Introduction to Network Security Comptia Security+ Exam Domain 5 Computer Forensics Computer Forensics Forensics relates to the application of scientific knowledge and method to legal problems Investigating

### Web Security (SSL) Tecniche di Sicurezza dei Sistemi 1

Web Security (SSL) Tecniche di Sicurezza dei Sistemi 1 How the Web Works - HTTP Hypertext transfer protocol (http). Clients request documents (or scripts) through URL. Server response with documents. Documents

### Cryptography and Network Security Chapter 12

Cryptography and Network Security Chapter 12 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 12 Message Authentication Codes At cats' green on the Sunday he

### CS 2112 Spring 2014. 0 Instructions. Assignment 3 Data Structures and Web Filtering. 0.1 Grading. 0.2 Partners. 0.3 Restrictions

CS 2112 Spring 2014 Assignment 3 Data Structures and Web Filtering Due: March 4, 2014 11:59 PM Implementing spam blacklists and web filters requires matching candidate domain names and URLs very rapidly