One more thing -- with respect to forensic analysis conducted in the context of information security rather than legal forensics, I care more about unpredictability of the algorithm that I'm going to use to analyze bits than about anything else. An attacker who knows what my analysis tool looks like with certainty can find a way around it -- an attacker who knows that I use one of six different tools at any one time and rotate through them randomly has only a one in six chance of guessing right and they have zero chance of preventing me from using two different tools to analyze the same bits. Also, I gain some security through obscurity if I supplement standard hash algorithms with algorithms of my own design -- and not because my own algorithms are going to be as provably secure/free of collisions, but because it is impossible for an attacker to know ahead of time what their bits are going to look like when processed by my code unless they first obtain a copy of my code. This is an appropriate role for security through obscurity; often times people think they're getting security through obscurity when in fact they've just created one more secret that has to be kept that is relatively easy to discover. Jason Coombs jasoncat_private -----Original Message----- From: adminat_private [mailto:adminat_private] Sent: Wednesday, January 15, 2003 1:03 AM To: forensicsat_private Subject: Re: CRC32 vd MD5 Firstly, a big (and belated) thank you for all the replies, both on and off list, to my original post on this issue. >From what I gather from these responses, I think my original gut feeling that CRC32 by itself was probably not "enough" for forensic purposes seems to be sound. That being so, I'm unsure why an experienced team investigating such a high profile case would use MD5 only at a later stage in response to opposing counsel's comments (but I don't know the full facts of the case so won't comment further). Of equal interest, though, has been the broader discussion of the distribution of MD5 hashes once created, chain of custody procedures and the integrity/credibility of forensic professionals. I was particularly interested in one idea concerning the initial imaging/hashing of evidence in the presence of the defence/defendant/other party and providing the resultant hash to them at this early stage in some kind of secure (digitally signed?) form (I guess for this procedure to have any value it becomes crucial to establish that the evidence could not have been altered by either side before the imaging/hashing process). Nevertheless, is anyone using this type of procedure or are the checks and balances of modern criminal systems sufficient to render it unnecessary? Equally, are those of us working in the corporate arena satisfied that enough is done with regard to establishing the integrity of the evidence we examine or produce? Jamie -- Jamie Morris Forensic Focus Email: adminat_private Web: http://www.forensicfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 03:21:01 PST