[Abstract]
The purpose of this document is to provide a basic understanding of how hashing algorithms and cyclic redundancy checks can be used for evidence, authentication, and filtering. This document is intended for anybody looking to gain a basic understanding or knowledge of how forensic investigators find evidence to be used in a court of law.
[Content]
Forensic investigators need to use a variety of techniques, software applications, and thoroughly document every little detail about the systems they are gathering evidence from. Forensic investigators are responsible for collecting data and information from many types of volume storage devices, memory sources, and many types of removable storage devices. When forensic investigators are searching for evidence they may have to attempt to decrypt data that has been encrypted or put through a hashing algorithm. Forensic investigators may also have to remove valuable data off of a memory module by working with the cyclic redundancy checks. They may also have to use the hashing algorithms or cyclic redundancy checks (CRC) for authentication and filtering. To better understand how forensic investigators are able to use hashing algorithms and cyclic redundancy checks for authentication and filtering the next couple paragraphs will attempt to further explain.
There are four different hashes forensic investigators need to be familiar with in order to know which one is best suited for authentication and filtering (Hurlbut, 2009). One hashing method is called the cryptologic hash. The cryptologic hash is used for validating media by locating exact duplicate files and allowing forensic investigators to skip over files that are known to have no evidence contained within. The second hashing method is called the rolling hash. The rolling has is used to identify segment boundaries by using a reset point that is generated by the rolling hash engine in order to determine where different segments are created. Another hashing method is called the Context Triggered Piecewise Hash. This hashing method is based upon the traditional hashing method, however it also draws comparisons between documents that are similar, but are not exactly the same. The final method of hashing is called the fuzzy has method. The fuzzy has method is able to compare an active document to partial files that may have been recovered from unallocated space on a system volume. When forensic investigators are trying to determine the best hashing method to use for authentication and filtering it may be apparent that the traditional hashing method may be best suited for authenticating, however the context triggered piecewise hash may be more ideal for filtering through evidence that may not be identical copies of files. Due to the context triggered piecewise hashing being based off the traditional hashing method and having the flexibility of sorting through files that are not exact duplicates of files, this method may be the most ideal method for authenticating and filtering through files while looking for valuable evidence.
A cyclic redundancy check is a mathematical check on data to ensure it is an exact duplicate of data and has not been altered in anyway. By performing a CRC on data a forensic investigator is able to ensure they have an exact duplicate of the suspect files so they can work with the duplicate without contaminating the original evidence. A CRC validates the data has not been altered in anyway and therefore the data has been authenticated with the CRC (Volonino, Anzaldua, and Godwin, 2007). After forensic investigators have performed the CRC on the data and created identical duplicate files, they are then able to filter through the duplicated data so that the original data is not tampered in anyway. There are a number of software applications that forensic investigators may have to use to filter through data and some of the software applications may even use one of the previously mentioned hashing methods. Cyclic redundancy checks on data allows forensic investigators to authenticate data so they have exact duplicates of files to work with when they are trying to filter through data and look for valuable evidence.
In conclusion, forensic investigators may have to use a series of software suites to gather valuable evidence to be used against a suspect. Forensic investigators can use cyclic redundancy checks to authenticate data, which allows the investigator to create exact duplicates of the suspect files so that the investigator doesn’t tamper the original evidence. Once the data has been authenticated with the cyclic redundancy check, forensic investigators can then use different hashing algorithms to filter through the data in order to look for critical evidence to be used against a suspect. One hashing algorithm that may best suite the needs of a forensic investigator is the context triggered piecewise hashing method because this method allows the investigator to compare active files against fragments of files or files that are not exact duplicates, but still contain valuable evidence.
References
1. Hurlbut, Dustin (2009, January 9th). Fuzzy Hashing for Digital Forensic Investigators. AccessData, Retrieved April 11th, 2009, from http://www.accessdata.com/downloads/media/Fuzzy_Hashing_for_Investigators.pdf
2. Volonino, Anzaldua, and Godwin, (2007, August 23rd). Computer Forensics: Principles and Practices. Retrieved April 12, 2009, from Pearson Education Computer Forensics: Principles and Practices Web site: