DOC PREVIEW
MSU CSE 6273 - Three A’s of Computer Forensics

This preview shows page 1-2-16-17-18-33-34 out of 34 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 34 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 34 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 34 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 34 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 34 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 34 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 34 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 34 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Intro to Cyber Crime and Computer Forensics CSE 4273/6273 February 6, 2012Three A’s of Computer ForensicsCopies of MediaAuthenticateAuthenticationHashing FunctionA digital finger printFixed length outputHash FunctionsHash Functions (cont.)Slide 11Variations of Hash FunctionsMost Popular Hash FunctionsMD-5MD-5 Implementation1. Append Padding Bits2. Append Length3. Initialize MD Buffer4. Process Message in 16-word Blocks (512 bits)Illustration for One Round5. Produce OutputSHA-1SHA-1 ImplementationSlide 24Slide 25Slide 26Slide 27Slide 28Slide 29Hashing for authenticationCollisions unlikely but:How do we avoid collisions?Other uses include:Questions?1Intro to Cyber Crime and Computer Forensics CSE 4273/6273 February 6, 2012 MISSISSIPPI STATE UNIVERSITYDEPARTMENT OF COMPUTER SCIENCEThree A’s of Computer ForensicsAcquireAuthenticateAnalyze2Copies of Media•At least two copies should always be made of any media to be analyzed.•The first copy is to be kept “pristine”, so that additional copies can be made whenever needed, without going back to the original.•The second copy is the working copy.•Both copies should be authenticated each time they are accessed. The working copy should be atuhenticated after analysis to see if changes have been made to the media.3Copyright © 2008 Mississippi State University Forensics Training CenterAuthenticate•Authentication is the process of proving that any copy that you have is the exact duplicate of the original.•As opposed to non-digital evidence, the original evidence should never be analyzed.•All analysis must be done on the working copy of the original.•Authentication is normally done through the use of a hashing function.45Copyright © 2008 Mississippi State University Forensics Training Center5Authentication•Chain of custody•Documentation•Photographs•Secure storage•Never work from the original•Access the original as little as possible•Use write blocking•Hash functionsPhysical Logical6Copyright © 2008 Mississippi State University Forensics Training Center6a one-way function that computes a fixed length output from a variable length input. Any change in the input will result in a different output. 01101001010010010010010010010100101010101001001010101010101010101000010110 0111 1101Hashing Function7Copyright © 2008 Mississippi State University Forensics Training Center7A digital finger print•It can represent sectors, files, partitions or entire hard drives.•You can not tell anything about what was used to create the finger print.•You can search for known files based on their fingerprints.•Even if it is just one bit that is different in a file, partition, or hard drive the fingerprint will still be drastically different.8Copyright © 2008 Mississippi State University Forensics Training Center8Fixed length output•A message digest or hash value•Length depends on the algorithm used to create it•The larger the message digest the stronger the algorithm•Usually represented in base 16 (hexadecimal)Hash Functions•A hash function is a reproducible method of turning some kind of data into a (relatively) small number that may serve as a digital "fingerprint" of the data. The algorithm "chops and mixes" (i.e., substitutes or transposes) the data to create such fingerprints. •The fingerprints are called hash sums, hash values, hash codes or simply hashes.9Taken from Wikipedia, http://en.wikipedia.org/wiki/Hash_functionHash Functions (cont.)•Hash functions are designed to be fast and to yield few hash collisions in expected input domains. •A hash function must be deterministic.•Hash functions are usually not injective, i.e. the computed hash value may be the same for different input values. •A desirable property of a hash function is the mixing property: a small change in the input (e.g. one bit) should cause a large change in the output (e.g. about half of the bits). This is called the avalanche effect.10Taken from Wikipedia, http://en.wikipedia.org/wiki/Hash_functionHash Functions (cont.)•Inputs can be any length, but outputs are of fixed length.•Typical uses of hash functions:–Database Indexing–Password Verification–Encoding complex data when reversibility is not desired.11Variations of Hash Functions•CRC-32 – Cyclic Redundancy Check–32 Bit Hash - 232 different possible outputsMD-5 – Message Digest–128 Bit Hash - 2128 different possible outputsSHA-1 – Secure Hashing Algorithm–160 Bit Hash - 2160 different possible results•Others – SHA-256, SHA 5121213Copyright © 2008 Mississippi State University Forensics Training Center13Most Popular Hash Functions•MD5 (Message Digest 5)–designed by Ronald Rivest in 1991 to replace an earlier hash function–128 bit•SHA-1 (Secure Hash Algorithm)–The SHA algorithms were designed by the NSA–160 bitMD-5•Message Digest Algorithm–128 bits•Improved Version of the MD-4 Algorithm•Slower, but less susceptible to successful breaking.–More complex–Better Error Handling•MD-4 algorithm can be researched in hashing article on website.14MD-5 Implementation•Five step process:1. Append Padding Bits2. Append Length3. Initialize MD Buffer4. Process Message in 16 word blocks5. Generate Output151. Append Padding Bits•For a b-bit input message, M, where length (M)=b –Message is extended (padded) until length (M’) = 512 * x – 64, for some integer x ≥ 1•Padding is done by appending a “1” to the message and then “0”s until the message length is 512 * x – 64.•Minimum padding is 1 bit, and maximum padding is 512 bits 1 0*162. Append Length•Append a 64-bit representation of b to the end of the result of Step 1.•The resulting string is now 512 * x bits in length.•Equivalently, the message is an exact multiple of 16 (32-bit) words.173. Initialize MD Buffer•A four word buffer is used to compute the output. (A, B, C, and D)–Each of the words is a 32-bit register initialized as follows:A.01 23 45 67B.89 ab cd efC.Fe dc ba 98D.76 54 32 10184. Process Message in 16-word Blocks (512 bits)•Four auxiliary functions (F, G, H, and I) are defined such that each takes as input three 32-bit words and produces one 32 bit word as output.F(X,Y,Z) = (X  Y)  ( X  Z)G(X,Y,Z) = (X  Z)  (Y   Z)H(X,Y,Z) = X  Y  ZI(X,Y,Z) = Y  (X   Z)•16 rounds for each block of message.19Illustration for One Round20A B C DA B C D<<<sMiKiFMi - 32 bit block of MessageKi - Constant


View Full Document

MSU CSE 6273 - Three A’s of Computer Forensics

Documents in this Course
Load more
Download Three A’s of Computer Forensics
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Three A’s of Computer Forensics and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Three A’s of Computer Forensics 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?