Time to Migrate to SHA-1 Hash Algorithm, Lab Report Example

Log of Forensic Analysis

Step 1: The first step is to log in to Adepto by using the allocated User ID and Password along with the case number.

Step 2: There is a requirement of selecting the device from a drop down options menu and patience is required as the details of the device will be imported in the fields available in the below drop down options menu.

Step 3: User can modify the serial number, manufacturer, model and fields. However, user cannot modify sector numbers, size and type of bus, as all these details are imported in the fields directly.

Step 4: User will select the tab named as ‘Acquire’ and select the fields as per the required scenario. Likewise, the user will select DCFLDD type for the image with hashing algorithm: MD5 along with 1MB image file segments.

Step 5: User will select and press the ‘Start’ button to initiate image creation. Likewise, the time depends on the size of the media and after successful image creation; a message will appear on the screen i.e. ‘Verify Successful’

Step 6: User will click on the option called as ‘Restore/Clone’. For restoring a device or a data file, image file can be selected and stored on a separate location. For cloning the device, source device can be selected along with the destination device, as the cloned files will be stored at this destination.

Step 7: User will press the ‘Log’ option for reviewing activity logging of all the activities performed during the acquisition process. These logs will provide information on Central Processing Unit, Motherboard, Random Access Memory, related hardware components, media devices and all the associate interconnected devices.

Step 8: User will click on the option called as ‘Chain of Custody’ for reviewing primary information of the device along with the access of the user who has accessed the images and devices that are produced. Moreover, user can also produce a .pdf file of ‘Chain of custody’, as it can be utilized afterwards in the device examination process.

Report a Letter to the Professor

I am writing you this letter because I want to inform you about the laboratory test that was conducted on the Virtual Machine Virtual Drive. This letter will provide the insights of all the steps that were executed along with their results.

The testing was executed by utilizing Adepto imaging program available in the Helix Live CD. Likewise, the Virtual Machine was connected on a Small Computer System Interface (SCSI) bus. Moreover, the image was produced on a DCFLDD format by incorporating MD5 hashing algorithm. The testing verified the image and after the creation of the image, chain of custody form was established showing the drive details, hash type, file format for the user and image and its name. After validating all the information, a PDF was established.

The laboratory provided a great learning experience, as tests were performed on the Virtual Machine drive by utilizing Adepto imaging application within the Ubuntu Linux environment.

What types of forensic image formats does Adepto support?

The application provides a rich graphical user interface that can be accessed via Helix Live CD. Likewise, it is utilized for acquisition of drive images along with data files by establishing sound images with forensic characteristics from the hard disk drive to additional media devices. Moreover, Adepto is compatible with two forensic formats of mages i.e. Department of Defense Computer Forensic Laboratory DCFLDD and DCFLDD. Essential features of this format incorporates faster disk wiping, hashing on the fly and disk wiping (Sourceforge, 2013). Furthermore, the Advanced Forensic Format (AFF) is an open source and agile by trade secrets and by patents (Garfinkel et all, 2013).

What kind of write blocking does Helix provide?

Helix supports ‘read only’ function for the writer block for Linux compatible image applications, as it is native function. Likewise, Helix is available on a live CD and it is a CD based forensic application which does not support automated access to media making it a choice of millions and making it a perfect application for write blocker. Moreover, Helix restricts mounting of swap partitions that holds or contains data and any other metadata files. Consequently, Helix facilitates acquisition of evidence without the use of hardware based write block device (Harris, n.d)

Explain the advantages and disadvantages of different write-blocking techniques for forensic imaging?

Generally, there are two types of write blocking i.e. hardware write blocking and software write blocking. The hardware writer blocking has the following advantages:

Advantages

• It is not dependent on system hardware or software such as Operating systems
• Easier to understand and easily adaptable for non techies
• Indications are easy to pick, as they are indicated by lights and switches
• Native features already available for SATA, IDE, SCSI etc.
• Forensic community happily accepts it

Disadvantages

• Need to carry the hardware along with yourself
• There is a probability of mishandling the device, or making it fall on a hard floor for a hardware failure
• Now new interfaces can be added (Newton, 2010)

Software write-blocking:

Advantages

No additional hardware is required for write blocker that is installed on the image acquiring process

Any interface can be utilized for the imaging system and that saves cost

Disadvantages

Hardware component i.e. an adapter is still required to access interface for the drives that needs imaging

Not friendly for non-technical forensic examiners

Dependent on both hardware and software, making it more complex in case of a failure of hardware based component or a software crash

Why would a forensic examiner possibly select a different cryptographic hash type from MD5?   

The MD5 is a cryptography that only has a one way hashing mechanism. Likewise, a fixed length output value that is called a hash comprises of a thirty two digital hexadecimal numbers. Any modification in the original content will change the hash value, as the integrity of the data will be breached. Moreover, these hash functions are also incorporated in many types of authentication mechanisms such as non-repudiation, digital signatures, validating file integrity etc. As the hash function has a fixed value, there is a possibility of more input values as compare to unique values for the hash. Consequently, we need to have various or multiple input values producing similar value for the hash. This concept is called as the hash collision (Cobb, 2005).

What is the MD5 hash value of your image in Lab 1?   

MD5 Hash value = f71625daed269ba7145a6e6b27fcb89a

What are some reasons that make Helix a forensically sound method for forensic collection of digital evidence?

Helix is a forensic toolkit that has functionality of both incident response and computer forensics and it is embedded on a well-known love bootable CD known as the Knoppix. Likewise, the live bootable CD has various incident response tools for both Microsoft Windows and Linux platforms.

Helix provides functionality for drive imaging, volatile data, centralized incident response and also provides support for Internet history of the user. Likewise, the data integrity is secured with 256 Advanced Encryption Standard (AES) encryption (Krause, 2013). Moreover, Helix provides ease of use to the users, as a CD needs to be inserted with boot from CD option. Likewise, a forensic examiner can gather data via audit tools and copy data from a suspected system. After booting from the CD, Helix gives a braded view of accessing various forensic tools that allow copy of data via bits to other connected media along with the functionality of recovering deleted, infected files (Sidel, 2007).

What is the significance of the Chain of Custody PDF form from Adpeto? Why is it needed?

Chain of custody is a document that can be presented in the court of law and it provides information associated with the forensic investigators access to media devices and data along with the date time stamp of evidence collection, image name, file name, file size, forensic investigator name for image creation, image type and hash/encryption type as well. The court requires authentic and fool proof data along with all the associated information of how the data was accessed, who accessed it, how the evidence was captures etc. if any one of the rule is breached, the data will have no value in the court.

What is the significance of the Adepto logs? Why are they needed?

The logs of Adepto will facilitate forensic investigators for tracking information extracted from media. In case of any step skipped or any human error is made during an investigation or data gathering process, it can be rectified by reviewing the logs.

What is the significance of the forensic investigator’s individual reports and logs?

These individual reports incorporate the list associated with all the gathered evidence along with a hard copy or printed copy of documents illustrated as appendices and an executive summary. In some situations, interim reports are required from the auditors, as these reports provide input until the completion of an investigation. Along with the logs, reports also provide a broader view to the forensic investigators for his/her findings in the court, if required (Purita, 2006).

Why are cryptographic hashes such as MD5 and SHA1 needed? Why would an investigator not use a CRC or some other value?    

Both of these cryptographic MD5 (128 Bit) and SHA1 (160 Bit) hash functions are based on a passed byte mechanism. However, MD5 is not considered to be a secure hashing algorithm, as it has the probability to execute a collision attack (Dzone, 2010). On the other side, SHA1 is comparatively more secure. Both of these hashing algorithms facilitates the forensic investigator to identify and detect very minor modifications within a message that are not detected by any other CRC.

References

Cobb, M. (May 2010). MD5 security: Time to Migrate to SHA-1 Hash Algorithm? Retrieved from, http://searchsecurity.techtarget.com/answer/MD5-security-Time-to-migrate-to-SHA-1-hash-algorithm

DZone. (June 2010). Generating MD5 and SHA1 Checksums for a File. Retrieved from, http://dotnet.dzone.com/articles/generating-md5-and-sha1

Garfinkel et al. (2013). Advanced Forensic Format: An Open, Extensible Format for Disk Imaging. Retrieved from, http://cs.harvard.edu/malan/publications/aff.pdf

Newton, D. (May 2010). Write Blockers – Hardware vs Software. Retrieved from,  http://dereknewton.com/2010/05/write-blockers-hardware-vs-software/

Purita, Ryan. (September 2006). Computer Forensics: A Valuable Audit Tool. Retrieved from, http://www.theiia.org/intAuditor/itaudit/archives/2006/september/computer-forensics-a-valuable-audit-tool-1/

Sidel, S. (May 2007). Digital forensics tool Helix ‘does no harm’. Retrieved from, searchsecurity.techtarget.com/tip/Digital-forensics-tool-Helix-does-no-harm

Sourceforge. (2013). Retrieved from, http://sourceforge.net/projects/dcfldd/