On Wed, 11 Dec 2002, Rainer Gerhards wrote: > However, I wonder if MD5 will acutally help in court as long it is not > protected inside a crypt sig - somebody out there with an opinion on > this? It's already used quite extensively in presenting the analysis of digital evidence. Both EnCase (probably the most widely used forensics tool on the planet) and the Data<something> tool that's its main competition MD5 disks upon acquisition. Also, most of us using these tools use the NIST standard database (I think it's special database #5- I can check if it's important) along with other sources to compare the MD5 of known-good binaries to weed out things we shouldn't have to search through. Since that's pretty standard for the industry as a whole[1] I think you'll find that the courts are reasonbly happy with our use of MD5- but it really hasn't been seriously challenged as far as I can tell. So, I think "hold up in court" depends mostly upon usage (HMAC certainly doesn't hurt things)- but we've been establishing a fair ammount of precedent in using MD5 for evidence presented in court over the last few years, and it's accepted pretty well for where it's used by both sides. One of the things that's important to understand is that things don't have to be *perfect* to hold up, they just have to be *good enough*. The difference between good dental plaster for casting footprints and a tracing doesn't make one not admissable, but when the forensic technicians in the field all use one method, you have to be prepared to say why you're using a different one. Photographic "evidence" has been accepted in court cases for decades- despite the ease of tampering anyone who owns a darkroom knows is possible. Probably the worst scenerio with MD5 would be the defense challenging it and the prosecution's expert witness actually being able to explain the math, and doing so ;) If I can show that the process that creates the checksum's integrity was good, and I can show the data and the checksum match, then it can only help. If the process wich created it is suspect, then perhaps it doesn't help- but it can't really hurt your case except in the noted instance where someone tries to explain to a jury how it works ;) Also, understand that in the majority of cases, you want to present strong enough evidence that the guilty party pleas out. Checksums are sure to help with that. Paul [1] Industry being both private firms that do computer forensics (their own, or for others) as well as law enforcement. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." probertsonat_private Director of Risk Assessment TruSecure Corporation _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Dec 11 2002 - 16:35:36 PST