±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 36459
New Yesterday: 5 Visitors: 152

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Hash missing from E0X evidence files

Discussion of legislation relating to computer forensics.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Samuel1
Senior Member
 

Hash missing from E0X evidence files

Post Posted: Aug 17, 12 11:20

Hello everyone,

I recently acquired some electronic evidence (*.E01 format), and to my great surprise, after running a verification in FTK Imager, the Stored Verification Hash read: "Hash Not Found" -- so, this E01 image has no authenticating hash!

My question is, given the way E01 image files work -- how is this even possible? The whole point of the E01 format is to contain the authenticating hash of the original media within the E01 file(s).

What are the legal implications for trying to introduce this hash-less E01 image or data extracted from this E01 into a court of law?  
 
  

joachimm
Senior Member
 

Re: Hash missing from E0X evidence files

Post Posted: Aug 18, 12 11:23

- Samuel1

What are the legal implications for trying to introduce this hash-less E01 image or data extracted from this E01 into a court of law?


Highly depends:

What jurisdiction?
What type of law?
Was the chain of custody of the evidence maintained?

Did you check if there is no other hash SHA1 instead of MD5?
Did you check other tools?

E01 still contains checksums weaker kind of integrity checks.
Do they check out?

What evidence did you find on there.
Can you correlate this evidence with other external sources.
etc, etc  
 
  

Samuel1
Senior Member
 

Re: Hash missing from E0X evidence files

Post Posted: Aug 22, 12 10:26

- joachimm
- Samuel1

What are the legal implications for trying to introduce this hash-less E01 image or data extracted from this E01 into a court of law?


Highly depends:

What jurisdiction?
What type of law?
Was the chain of custody of the evidence maintained?

Did you check if there is no other hash SHA1 instead of MD5?
Did you check other tools?

E01 still contains checksums weaker kind of integrity checks.
Do they check out?

What evidence did you find on there.
Can you correlate this evidence with other external sources.
etc, etc


joachimm, thanks for your thoughtful reply.

Jurisdiction: Federal, USA.
Type: Criminal
Chain of custody: From what I can tell, yes.

There is no SHA/MD5 in the E01 that appears. I can view the data with Paraben and FTK, but when I run a verify, it says Hash Not Found. It only displays the Computed Hash.

It is my understanding that E0X files store data like this:

[metadata] - [data] - [CRC] - [data] - [CRC] - [data] - [CRC] - [MD5]

How is it possible for the final MD5 to be missing?

How would one verify if the CRCs check out? FTK Imager makes no reference to them. I did not use any other tools yet (I will check with EnCase in the upcoming week), since FTK should be perfectly acceptable for verifying an E0X image, I would think.

Thank you.  
 
  

joachimm
Senior Member
 

Re: Hash missing from E0X evidence files

Post Posted: Aug 22, 12 10:53

- Samuel1

It is my understanding that E0X files store data like this:

[metadata] - [data] - [CRC] - [data] - [CRC] - [data] - [CRC] - [MD5]


Yes that largely correct; the CRCs are actually Adler-32 checksums (there is a technical difference), and are stored with the data, so:
[metadata] - [data + checksum] - [data + checksum] - [data + checksum] - [MD5] - [SHA1/MD5]

- Samuel1

How is it possible for the final MD5 to be missing?


You can create an EWF file without an MD5 or SHA1 as designed.

- Samuel1

How would one verify if the CRCs check out? FTK Imager makes no reference to them. I did not use any other tools yet (I will check with EnCase in the upcoming week), since FTK should be perfectly acceptable for verifying an E0X image, I would think.


EnCase or ewfverify will check the checsums and show you which sectors could not be validated.

Since this is US Criminal law, I can advise to check with local legal expertise.

Not having an integrity hash does not have to be a problem, it can make writing your report more challenging and the evidence considered less accountable. But if you can back up your findings with external resources, e.g. other computers, and make sure the chain of custody was maintained, that should largely account for that the evidence was handled accordingly.

For now make note of the current integrity hash as soon as possible.  
 
  

athulin
Senior Member
 

Re: Hash missing from E0X evidence files

Post Posted: Aug 22, 12 12:00

- Samuel1
I recently acquired some electronic evidence (*.E01 format), and to my great surprise, after running a verification in FTK Imager, the Stored Verification Hash read: "Hash Not Found" -- so, this E01 image has no authenticating hash!


How was the .e01 file created? By EnCase? FTK Imager? some other tool?

My question is, given the way E01 image files work -- how is this even possible? The whole point of the E01 format is to contain the authenticating hash of the original media within the E01 file(s).


If the files were produced by EnCase, and if Encase (no other tool will do here) does not find a problem, there is no problem. Any problem is in FTK Imager.

If the files were produced by some other tool, you may want to consider the possibility that it didn't produce correctly formatted files -- for whatever reason. You may bring that problem to the respective tool maker's attention -- once you have verified that the problem is repeatable, and isn't due to problems in your acquiry platform ... or with your target disk.

One acquiry I made on a system that proved to have a bad RAM bank produced some very weird error messages later -- but none that were observed during acquiry.  
 
  

joachimm
Senior Member
 

Re: Hash missing from E0X evidence files

Post Posted: Aug 22, 12 15:26

- athulin
If the files were produced by EnCase, and if Encase (no other tool will do here) does not find a problem, there is no problem. Any problem is in FTK Imager.


I do not agree with you that "no other tool will do here". Before you answer please look at the issue of EnCase 6.7.1 and the chunk offset overflow first. In short EnCase was creating incorrect E01 files. Or the issue regarding how the section offset and size should be handled; the format allows to store 2 different images into 1 E01 file if the tool is not careful.

The fact that multiple tools can interpret the format will provide for a less biased result.  
 

Page 1 of 1