Hash missing from E...
 
Notifications
Clear all

Hash missing from E0X evidence files  

  RSS
Samuel1
(@samuel1)
Member

Hello everyone,

I recently acquired some electronic evidence (*.E01 format), and to my great surprise, after running a verification in FTK Imager, the Stored Verification Hash read "Hash Not Found" – so, this E01 image has no authenticating hash!

My question is, given the way E01 image files work – how is this even possible? The whole point of the E01 format is to contain the authenticating hash of the original media within the E01 file(s).

What are the legal implications for trying to introduce this hash-less E01 image or data extracted from this E01 into a court of law?

Quote
Posted : 17/08/2012 12:20 pm
joachimm
(@joachimm)
Active Member

What are the legal implications for trying to introduce this hash-less E01 image or data extracted from this E01 into a court of law?

Highly depends

What jurisdiction?
What type of law?
Was the chain of custody of the evidence maintained?

Did you check if there is no other hash SHA1 instead of MD5?
Did you check other tools?

E01 still contains checksums weaker kind of integrity checks.
Do they check out?

What evidence did you find on there.
Can you correlate this evidence with other external sources.
etc, etc

ReplyQuote
Posted : 18/08/2012 12:23 pm
Samuel1
(@samuel1)
Member

What are the legal implications for trying to introduce this hash-less E01 image or data extracted from this E01 into a court of law?

Highly depends

What jurisdiction?
What type of law?
Was the chain of custody of the evidence maintained?

Did you check if there is no other hash SHA1 instead of MD5?
Did you check other tools?

E01 still contains checksums weaker kind of integrity checks.
Do they check out?

What evidence did you find on there.
Can you correlate this evidence with other external sources.
etc, etc

joachimm, thanks for your thoughtful reply.

Jurisdiction Federal, USA.
Type Criminal
Chain of custody From what I can tell, yes.

There is no SHA/MD5 in the E01 that appears. I can view the data with Paraben and FTK, but when I run a verify, it says Hash Not Found. It only displays the Computed Hash.

It is my understanding that E0X files store data like this

[metadata] - [data] - [CRC] - [data] - [CRC] - [data] - [CRC] - [MD5]

How is it possible for the final MD5 to be missing?

How would one verify if the CRCs check out? FTK Imager makes no reference to them. I did not use any other tools yet (I will check with EnCase in the upcoming week), since FTK should be perfectly acceptable for verifying an E0X image, I would think.

Thank you.

ReplyQuote
Posted : 22/08/2012 11:26 am
joachimm
(@joachimm)
Active Member

It is my understanding that E0X files store data like this

[metadata] - [data] - [CRC] - [data] - [CRC] - [data] - [CRC] - [MD5]

Yes that largely correct; the CRCs are actually Adler-32 checksums (there is a technical difference), and are stored with the data, so
[metadata] - [data + checksum] - [data + checksum] - [data + checksum] - [MD5] - [SHA1/MD5]

How is it possible for the final MD5 to be missing?

You can create an EWF file without an MD5 or SHA1 as designed.

How would one verify if the CRCs check out? FTK Imager makes no reference to them. I did not use any other tools yet (I will check with EnCase in the upcoming week), since FTK should be perfectly acceptable for verifying an E0X image, I would think.

EnCase or ewfverify will check the checsums and show you which sectors could not be validated.

Since this is US Criminal law, I can advise to check with local legal expertise.

Not having an integrity hash does not have to be a problem, it can make writing your report more challenging and the evidence considered less accountable. But if you can back up your findings with external resources, e.g. other computers, and make sure the chain of custody was maintained, that should largely account for that the evidence was handled accordingly.

For now make note of the current integrity hash as soon as possible.

ReplyQuote
Posted : 22/08/2012 11:53 am
athulin
(@athulin)
Community Legend

I recently acquired some electronic evidence (*.E01 format), and to my great surprise, after running a verification in FTK Imager, the Stored Verification Hash read "Hash Not Found" – so, this E01 image has no authenticating hash!

How was the .e01 file created? By EnCase? FTK Imager? some other tool?

My question is, given the way E01 image files work – how is this even possible? The whole point of the E01 format is to contain the authenticating hash of the original media within the E01 file(s).

If the files were produced by EnCase, and if Encase (no other tool will do here) does not find a problem, there is no problem. Any problem is in FTK Imager.

If the files were produced by some other tool, you may want to consider the possibility that it didn't produce correctly formatted files – for whatever reason. You may bring that problem to the respective tool maker's attention – once you have verified that the problem is repeatable, and isn't due to problems in your acquiry platform … or with your target disk.

One acquiry I made on a system that proved to have a bad RAM bank produced some very weird error messages later – but none that were observed during acquiry.

ReplyQuote
Posted : 22/08/2012 1:00 pm
joachimm
(@joachimm)
Active Member

If the files were produced by EnCase, and if Encase (no other tool will do here) does not find a problem, there is no problem. Any problem is in FTK Imager.

I do not agree with you that "no other tool will do here". Before you answer please look at the issue of EnCase 6.7.1 and the chunk offset overflow first. In short EnCase was creating incorrect E01 files. Or the issue regarding how the section offset and size should be handled; the format allows to store 2 different images into 1 E01 file if the tool is not careful.

The fact that multiple tools can interpret the format will provide for a less biased result.

ReplyQuote
Posted : 22/08/2012 4:26 pm
Share: