Ishashing still a beneficial exercise when creating a live forensicimage (e.g., creating a DD image of a running server)? When aforensic image is created from a live, running system, will the hashvalue of the image ever match a hash of the running systems harddrive? Why or why not? If not, how could you explain this in court?
Hashingis an alphanumeric number of a particular unit of data. The basicconcept here is that the hash value cannot be changed withoutchanging the data it indexes (Chen, 2014). For example, suppose adigital video file was created, and the accompanying hash value waslogged. If an unauthorized party modifies this video file or tamperswith the evidence, the hash value of the file will also change.
LiveForensic image, created perhaps using DD tool on a running server isa tricky situation. The hash value indicates the state of a system,at one particular point of time. A running server is constantly atuse. That means the state of the system is changing constantly. Italso means the hash value of the system is also changing constantly.Forensics relies on the fact that the hash value remains unchanged(Brown, 2014). That is the only way anyone can be sure that theevidence stored digitally has not been modified. This should give usthe answer to the question that is asked above – will the hash valueof the image ever match a hash of the running systems hard drive? Thehash value simply will not match the target data. This also meanshashing may not be the best technique to be used by the forensicteam.
However,there is a way to get over this. That has to do with the point atwhich the hash value is created. Going back to the example ofcreating the live image from a running server, it would be best tohold off creation of the hash value till the cloning process iscomplete. Obviously, while the cloning is in progress, the state ofthe data system is changing. Once the cloning is completed, we have astatic cloned copy of the running server. The hash value iscalculated at this point of time. Now, this cloned copy can be usedas evidence. Why? Unlike the live server, the cloned image is notexpected to change with time. That also means, as long as nobodymodifies the contents of this cloned image, the hash value remainsintact (Laimer, n.d.).
Animportant criterion here is that it has to be informed in advancethat the cloned image and the hash value mirror the running server atthis point of time. Any changes made to the running server after thecloning has been completed, will not be reflected in the static diskimage. As long as the evidence team is comfortable with this, theexercise of hashing would be beneficial to the forensic team. Ifsituations occur where such a restriction on the cloned image is notallowed, then hashing loses whatever benefits it claims to have. Thisis how I would explain this issue to the Court.
Whatwe have seen here is that hashing is still relevant, even when thesource is a running server. However, much depends on the tools thatwere used for the cloning process. The hashing benefit also dependson the forensic team and how happy they are with the limitations ofhashing with a running server.
Chen,J. (2014, October 21). Investigatorsat Chinese Academy of Science Report Findings in Cybernetics(Spectral Embedded Hashing for Scalable Image Retrieval). Journal ofTechnology.
Grimmb,P. (2011, April 1). Essentialsof forensic imaging a text-atlas.(Briefarticle)(Book review). Reference & Research Book News.
Brown,J. (2014, January 5). UsingCommon Hashing Algorithms to Identify and Categorize Pictures.Retrieved April 15, 2015, fromhttp://www.magnetforensics.com/using-hashing-algorithms-to-identify-and-categorize-pictures/
Laimer,G., & Uhl, A. (n.d.). Key-DependentJPEG2000-Based Robust Hashing for Secure Image Authentication.EURASIP Journal on Information Security, 895174-895174.
Trawick,G., & Imsand, E. (2010). Digital forensic detection anddisruption of JPEG steganography.