Hash debate

bntrotter · 2016-01-14T02:15:46Z

My agency has a little discussion going on over Hashes in EnCase. A colleague of mine just returned from a class and they informed him that EnCase hashes both the original evidence (verification hash) and hashes the acquired data (acquisition hash) during the Acquisition process.My agency's training and procedures have us doing a straight up Hash process first upon connecting to the original evidence, and only then can we acquire the data into a forensic image and record the acquisition hash value. From what I remember from my EnCase classes and my agency's training, the Hash function of Encase is a straight up hash of the original evidence, the Acquisition hash is the hash of acquired or copied data, and the Verification process and hash strictly verifies the CRCs and double checks the hash of the acquired data.If the Forensic Image E01 files were to be changed or corrupted, it would throw a CRC error, and the Verification Hash would be different from the Acquisition Hash.Anyone want to clarify this debate or has an article on exactly what is being hashed during acquisition.

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by mlerner 10 years ago

13 Posts

10 Users

0 Reactions

26.9 K Views

RSS

Bulldawg

(@bulldawg)

Estimable Member

Joined: 13 years ago

Posts: 190

21/01/2016 11:27 pm

Forensics Wiki (search for SSD)
Forensic Focus article

I've liked a couple pages that explain it better than I will here.

In essence, an SSD contains an on-board controller that can and will modify the SSD without interference from the OS. Because of the way NAND flash storage works, it is very slow to write to an already-occupied cell. To address this issue, the SSD–independent of the OS–will erase unused cells. All you have to do is apply power to the drive and evidence is being changed and even deleted.

ReplyQuote

thefuf

(@thefuf)

Reputable Member

Joined: 17 years ago

Posts: 262

22/01/2016 1:02 am

Thanks for the replies.

From what I understand about TRIM, the timing of TRIM execution is determined by the drive's firmware - the OS issues the TRIM command but the drive's controller determines when to run it.

So now I see why a hash of the source drive might not match the hash of the imaged copy - because the TRIM command might be executed *while* the imaging is taking place. However, if no TRIMming occurred during the imaging process, then the hashes should match.

Thanks,

-Michael

You should distinguish between Trim and Garbage Collection. A solid-state drive may perform Garbage Collection even when there are no Trim commands coming from an operating system by parsing a file system and searching for unallocated data. Such a file-system-aware operation of a solid-state drive is the problem.

Unfortunately, there are several articles about solid-state drives and forensic issues which ignore this problem (because the authors never saw a file-system-aware solid state drive). However, file-system-aware solid-state drives exist, as stated by Kingston and by independent researchers.

Moreover, there are USB flash drives that will return different data when you read it. However, the last issue has nothing to do with Trim or Garbage Collection.

ReplyQuote

mlerner

(@mlerner)

New Member

Joined: 13 years ago

Posts: 3

24/01/2016 5:51 pm

Wow. Thanks for those links. I am not (yet) a digital forensics practitioner, but I wasn't aware of garbage collection being initiated by an SSD in the absence of a direct command from the OS.

The concluding paragraph of one of the links you mentioned troubles me

"The results found in this paper may have significant implications for legal matters involving digital evidence, most especially in those cases where digital data is alleged to have been deleted intentionally or deliberately permanently wiped by a defendant. Given the pace of development in SSD memory and controller technology, and the increasingly proliferation of manufacturers, drives, and firmware versions, it will probably never be possible to remove or narrow this new grey area within the forensic and legal domain. It seems possible that the
golden age for forensic recovery and analysis of deleted data and deleted metadata may now be ending."

This issue, as well as increasingly-pervasive encryption, certainly doesn't bode well for the future of digital forensics. Both issues appear to me to be major stumbling blocks to performing a successful digital forensics exam.

ReplyQuote

Page 2 / 2 Prev