I'm not entirely sure that I see the point to this sort of thing. Sure, SHA-1 has been "broken"…but so what? The same holds true with MD5 hashes…again, so what?
When looking at this, one has to also consider how the hashes are used. For example, one use of the hahes is to calculate mathematic fingerprints for a file. Okay, so one might say that those fingerprints are now suspect. I have to ask…how so?
When calculating mathematic fingerprints for a file, many tools use both MD5 and SHA1 hashes. In addition, specific information (i.e., file size, location, etc.) is also collected from the file. So…when considering if this is an issue or not, think about this…what are the chances that someone is capable of modifying the file so that both algorithms return the same hashes as that of the previous file, without modifying the file size, and that the file itself is still functional (for binaries)?
I'd say that the answer to that is extremely slim to none.
From the point of view of keydet89, I agree.
However if we back away from the process of digital forensics for a moment and look at security in general, I see a huge issue. For example, many vpn's today use a sha-1 algorithm for the ike authentication process. If the hash could in fact be reversed, it may be possible to obtain the original key, or at least a key that could produce the same hash. This is more of a security in general issue than a forensic issue. Sha-1 is a hash algorithm used not only by forensic analysis, but also many other areas where security is required. Although this has less of an impact on the forensic community than the broader security community we must take note. If the allegations about sha-1 are true, then we must widen our scope of potential possiblities when doing our analysis.
Yes, this is an interesting topic and one generating some lively discussion on the larger forensic lists. For now (being a bit pushed for time) I'll just take this opportunity to welcome pestewart to the Forensic Focus forums.