±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35390
New Yesterday: 2 Visitors: 131

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Child Exploitation Hash Sets

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4  Next 
  

UnallocatedClusters
Senior Member
 

Re: Child Exploitation Hash Sets

Post Posted: Sep 14, 16 00:33

Free Hash Sets for Download:

www.nsrl.nist.gov/Downloads.htm

Paid Hash Sets for Download:

www.hashsets.com/

My Favorite Hash Sets:

www.pinterest.com/pin/...607420254/  
 
  

tracedf
Senior Member
 

Re: Child Exploitation Hash Sets

Post Posted: Sep 14, 16 14:06

- EricZimmerman
because if a pedophile got a hold of the hash sets they would know what LE knows and can act accordingly.

if you have a school resource officer that is a good way to get access to LE stuff, but giving things out like hashes and keywords to the general public wont happen.


1) Do the sets include new images from open investigations? I can see limiting access to that, but the hashes from known images in cases where charges have already been filed and/or where the cases have been tried would still be really valuable to schools, service providers, etc.


I didn't think about having our school resource officers request it; that's a good idea. Thanks.  
 
  

jaclaz
Senior Member
 

Re: Child Exploitation Hash Sets

Post Posted: Sep 14, 16 14:43

- tracedf

1) Do the sets include new images from open investigations? I can see limiting access to that, but the hashes from known images in cases where charges have already been filed and/or where the cases have been tried would still be really valuable to schools, service providers, etc.
.

So there is a given image with a given hash.

Knowing that the given hash is known, I can change just one byte of it and obtain an image indistinguishable from the original when seen but that will pass under the radar of a hash comparison.

Publishing the known hashsets has consequences.

And there is NOT one reason in the world for wanting a set of hashsets (without the images) if what you need/want is to validate the hashing algorithm or a specific implementation.
I would say that by this time the algorithm has been validated enough and anyway - since it is a generic algorithm of which tens of implementations exist - a specific implementation can be validated by comparison to existing tools applied to "common" images.

Using images of meerkats for the tests is the way to go:
www.forensicfocus.com/...4/#6569664

The only exception would be of course if you want to "filter" some traffic, but unless you are LE, that would pose another kind of problem.

Let's say that your filter finds a corresponding hash for a file called daisies.jpg downoaded from the Internet by Mrs. Donovan (the nice, elderly, gray haired lady that teaches Class 3E) and an alarm is triggered.

What is your action?
Examples:
1) Log the file download but allow it, make a copy of the file on another PC/server and call the cops?
2) Log the file download but allow it, make a copy of the file on another PC/server and view yourself the image to make sure, then call the cops?
3) Drop/block the download, make a copy of the file on another PC/server and call the cops?
4)Drop/block the download, make a copy of the file on another PC/server and view yourself the image to make sure, then call the cops?
5) Something else ...

Please consider the possible consequences of the action you choose from the list above or of the action you have in mind (please describe), both in the case of a correct "positive" and of a false one. Confused

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

tracedf
Senior Member
 

Re: Child Exploitation Hash Sets

Post Posted: Sep 14, 16 19:21

- jaclaz

So there is a given image with a given hash.

Knowing that the given hash is known, I can change just one byte of it and obtain an image indistinguishable from the original when seen but that will pass under the radar of a hash comparison.

Publishing the known hashsets has consequences.

<snip>


You don't need to know the hash to change the images. Any collector/distributor of child pornography would be smart to write a program that can toggle a random pixel in each image to break the hash. Releasing the hashes does nothing to aid the child pornographer.

I can't see trying to use hashes to filter images being downloaded--too much latency--but it would be useful for identifying child pornography stored on a workstation or file server. If it is detected, the best move forward may depend on the locality but I would run it by my organization's attorneys and coordinate with local law enforcement to determine what our response should be. With ordinary content filtering, we get a lot of false positives because many sites are categorized based on keywords so a NY Times article about sexual assault on college campuses can get categorized as pornographic. With hashes of known images, a positive result should be definitive 99.99% of the time; the only exception being images that were added to the hash set by mistake (a mis-identification of an adult pornographic image maybe).

In the K-12 environment, we had school resource officers who were sworn police officers so we could have leveraged them in our response.

I think there is more benefit to sharing the information than keeping it secret (excepting new images from open investigations).

For testing software, any hash set works so I agree that these are not needed for that purpose.  
 
  

jaclaz
Senior Member
 

Re: Child Exploitation Hash Sets

Post Posted: Sep 15, 16 06:30

- tracedf

You don't need to know the hash to change the images. Any collector/distributor of child pornography would be smart to write a program that can toggle a random pixel in each image to break the hash.

But then the whole hashsets concept is totally useless. Shocked

I mean, if every collector/distributor/redistributor actually "injects" a few bytes and creates a "random" hash, the hashset will never find any positive, not even if it grows to billions of hashes, but it will likely start giving lots of false positives, for each hash that is added to it, the same image will be regenerated several times creating several new hashes, and if they are added to the hashset, before or later the hashset will contain every possible hash.

Maybe it's time to have image recognition techniques instead of hashes ...

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

tracedf
Senior Member
 

Re: Child Exploitation Hash Sets

Post Posted: Sep 15, 16 14:15

- jaclaz
... if they are added to the hashset, before or later the hashset will contain every possible hash.

Maybe it's time to have image recognition techniques instead of hashes ...

jaclaz


Even with a 128-bit hash, exhausting the hash-space really isn't an issue. Even a handful of individual collisions is pretty improbably. As far as I know, the people who commit these crimes are not doing this, but it would be relatively easy to do if they had any programming skills. Supplementing hashsets with image recognition would be a good move and the technology exists (e.g. Google's reverse image search).

This is a bigger problem in computer security/incident response where the bad guys are constantly tweaking their tools and use techniques to generate new versions with trivial differences. In those cases, it is more difficult to identify their tools as you might have many different hashes or signature strings for the same tool.

-Steven  
 
  

armresl
Senior Member
 

Re: Child Exploitation Hash Sets

Post Posted: Sep 16, 16 01:20

You are 100% right. Most of the time, it's just cops being cops and objecting just to object.

The argument will happen a lot of times if you happen to work for the defense. More to the point, the number of road blocks placed in your path if you are non LE grow very quickly.



- tracedf
- dan0841

LE would (and should IMHO) be very cautious about releasing hash sets externally.


Why are they so restrictive about the hash sets? They can't be used to recreate the images. If they made these more widely available, I think they would find that many organizations would proactively scan for them and report offenders to law enforcement. I worked in a K-12 school district and we would have loved to have a way to identify if any of our staff/teachers ever downloaded child exploitation photos.

_________________
Why order a taco when you can ask it politely?

Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. " 
 

Page 2 of 4
Page Previous  1, 2, 3, 4  Next