Recently there has been some debate in the office on transferring an image file to a different computer if the media used to transfer that image was “sanitized”. Just to give you a background on our process, we normally image something onto a “clean” machine. When all done with the processing of the image, we push the image over to a secure NAS that holds all of our past cases divided by case number. On one case I imaged a drive onto a clean machine that was not connected to the NAS and instead when I was done processing it I moved to the NAS by transferring it using an external HD. Another forensic tech told me that I couldn’t do that, and by doing it, I would be opening a lot of cross examination from the defense. The explanation that I was given by this tech was that I couldn’t testify in court that the external HD that I used was “sanitized”. And there may be possibility that the image file is contaminated with past images that may hold incriminating files that make the suspect appear guilty. Now this explanation doesn’t make sense to me. Image files (or any files) don’t contaminate themselves by being on the same drive or being previously on the same drive. They don’t morph into each other or trade data by being in the same directory, or drive, or previously deleted….ect. This argument doesn’t seem to be a valid argument on possibly “contaminating” the evidence.
Sorry for making it so long but I wanted to hear feedback on if anyone else had run into this type of argument and if so what thoughts people in the field have on this topic.
We can become our own worst enemy by being so "fault oriented" regarding evidence handling. Your statements regarding the integrity of the evidence files are correct. If the files verify and the hash values match at the end of the process it doesn't matter how many channels they went through. Identical is identical and if an examiner can't explain that much on the stand then I don't have a lot of confidence in anything that follows.
It's an interesting argument particularly in an organization that uses a server for ultimate storage. Is this a medium that is not fully "sanitized"? Certainly, but practicality demands it's use.
A similar argument has been made in police departments for some years now. Many require a signed statement of receipt of Miranda warnings from one being interrogated. Nowhere in Miranda v. Arizona is this requirement established. It has been adopted by many agencies in the pursuit of best practices.
On it's own it's not a bad practice, except for the time you forget, or circumstances preclude you from getting that form signed. Then you open up a line of questioning on why you didn't get the form signed. If an officer can't be trusted to honestly state that he read the suspect his rights then how much can you trust his other testimony?
There are two considerations, here.
First, what is sound from a forensic perspective. As noted, if the image verifies, end of story, from a forensic POV.
But the other consideration is what it costs your client to adjudicate the issue should it arise. That, alone, is often the overriding consideration when deciding what to do.
For example, from a technical perspective, the fact that someone can created MD5 hash collisions is not sufficient to question the integrity of an MD5 verified media image. But it can take some time to argue this in court and time is money, so if SHA hashing is available why not do it, or both, and take the issue off the table.
Part of what you are relying on as an expert is credibility and that is where someone will try to question you. The opposing side will pull out some statement from another practitioner, article, white paper or textbook which says you should wipe a drive before putting evidence on it and you are left having to explain why this is not necessary and why your opinion is better than that of some published author or something.
Why go there if you don't have to?
I try to keep things pretty sanitized from a SOP point of view that forensics is like a box of chocolate - you never know whacha gunna get. say for example you image, transfer, transfer & verify. Start your investigation and then find illicit material that then has to be turned over to another authority (jurisdiction and evidentiary rules applicable). Granted you would expect the receiver of such material to be trustworthy and only be copying and/or mounting image files but you would want to make sure there is no prior evidence on the devices.
I have run into this argument and tend to agree the the other posts. A verification hash, or (even better) two, should mitigate most concern. However, going with the same rationale as Sean/Doug, I generally use previously wiped drives as a matter of practice.
I have run into this argument and tend to agree the the other posts. A verification hash, or (even better) two, should mitigate most concern. However, going with the same rationale as Sean/Doug, I generally use previously wiped drives as a matter of practice.
Why is a second hash better - this implies that there is some flaw in the production of the first. If that is the case then don't use the first - its wated effort.
Why is a second hash better - this implies that there is some flaw in the production of the first. If that is the case then don't use the first - its wated effort.
Simple, really. MD5 hashing is still more common so I do it for backwards compatibility.
Why is a second hash better - this implies that there is some flaw in the production of the first. If that is the case then don't use the first - its wated effort.
Simple, really. MD5 hashing is still more common so I do it for backwards compatibility.
Please explain backwards comatibilty in this context - either it works or it doesn't - if it works then use one, if it doesn't then don't use it.
Not knocking MD5 here, despite the published flaws it still has its place - just the concept of hashing twice.
Please explain backwards comatibilty in this context - either it works or it doesn't - if it works then use one, if it doesn't then don't use it.
Sure. The other side is relying only on MD5 hashing and wants to verify the chain of custody. But I want to make sure that I am compatible with whatever hashing system they might rely upon.
And you could turn the argument around. "Why didn't you do an MD5 hash when it was easy to do so?"
It is not like MD5 has collisions are all that common.
I do not believe hashing with something else besides MD5 implies there is something wrong with MD5.
It implies that I am prepared to be examined on the validity of MD5.
I can either go and explain in excruciating detail that using MD5 encryption has been cracked, but that does not negate its validity for hashing. I can just see the jury snoring, and the others begging to stop…
Or, use SHA-256 and MD5, move on.
As seanmcl said, moves it off the table.