Hello - I am training a security analyst who expressed some interest in the field of forensics. He recently posed a question that I did not have a good answer for. As we were discussing hashing and disk/memory acquisitions, he asked "if you are hashing a disk or memory and a user is using the machine live, wouldn't the evidence change and give you a different hash as you go through the imaging process?"
I never thought about this aspect in my short career as a forensic examiner. Somewhere in my training I vaguely remember something about the state of a live device and how the hashing algorithm will perform hashing in series of blocks…but the evidence is still volatile at this point, so what is in memory or on disk at 847am may be completely different at 848am. I didn't not want to give the analyst an incorrect answer, so I pose the question here. If the evidence changes on a live machine during the imaging process, how does the tool (such as FTK imager, EnCase..etc..) account for that during our examination?
Any feedback will be helpful. Thank you.
As we were discussing hashing and disk/memory acquisitions, he asked "if you are hashing a disk or memory and a user is using the machine live, wouldn't the evidence change and give you a different hash as you go through the imaging process?"
Not entirely clear … but I assume you mean that a second image taken shortly afterwards will not produce the same hash as the first one.
The hash can be used to help you verify that the *image*file* hasn't been changed (provided that you take the necessary precautions) since it was made. With live imaging, you don't expect anything else – you should not apply that hash to the imaged system again. You already know that there will have been changes.
If the evidence changes on a live machine during the imaging process, how does the tool (such as FTK imager, EnCase..etc..) account for that during our examination?
??? I'm not sure I would expect it to do so.
I would expect a live image produced by a traditional imager to be inconsistent, and I'd be very careful about interpreting the information – MFT records could have changed by the time the actual file was imaged, so there could be lots of weirdness in it.
If I had to do a live image, I'd try to avoid using imaging tools designed for post mortem images. I think I'd rather go with tools based on file system snapshots. (As far as I know, the tools you mention don't do that – but I could be wrong.)
The hash would still be for the image file only.
Hello - I am training a security analyst who expressed some interest in the field of forensics. He recently posed a question that I did not have a good answer for. As we were discussing hashing and disk/memory acquisitions, he asked "if you are hashing a disk or memory and a user is using the machine live, wouldn't the evidence change and give you a different hash as you go through the imaging process?"
I never thought about this aspect in my short career as a forensic examiner. Somewhere in my training I vaguely remember something about the state of a live device and how the hashing algorithm will perform hashing in series of blocks…but the evidence is still volatile at this point, so what is in memory or on disk at 847am may be completely different at 848am. I didn't not want to give the analyst an incorrect answer, so I pose the question here. If the evidence changes on a live machine during the imaging process, how does the tool (such as FTK imager, EnCase..etc..) account for that during our examination?
Any feedback will be helpful. Thank you.
Acquisition and subsequent verification typically (in many tools, e.g. FTK Imager) result in one hash value calculated for data blocks being copied (on the fly) and, after acquisition completes, in another hash value calculated for data blocks in the image. That's why imaging a live system will result in successful hash verification even if source data becomes different, in this case verification doesn't tell you that both the source and the image are identical, it tells you that no corruption occurred in the image creation process.
If you copy the data at first, and then calculate hash values for both the source and the image, you will get different results (in a case of live acquisition), because you read the source twice, not once.
Thank you 'thefuf' and 'athulin' for the quick replies. I think I understand now. Live system is expected to change during the acquisition process; the only thing that matters is the completed image and the subsequent hash do not change.
I often think that hashing and forensics is overrated. There can be an implication that because something has been hashed, it must be correct.
Hashing is just a signature. The big feature (or problem) is that single bit difference anywhere in a file will produce a completely different hash value. Imaging an active hard drive is possible, but I would expect some sectors being changed on a very regular basis.
The only advantage of the hash value is if the new image is taken somewhere it can be verified as identical to the original (assummimg the hash value has not been hacked!)