[Cryptography] The computer forensics world still using SHA-1

Tue Aug 17 22:44:10 EDT 2021

Fair disclosure: I am a practitioner (albeit former), and work
developing modern tooling for processes a couple of iterations beyond
the subject at hand.

On Tue, Aug 17, 2021 at 3:00 PM Phillip Hallam-Baker
<phill at hallambaker.com> wrote:
> I just started a forensics course so I could find out more about the current state of the art.
>
> Commercial product TK-Imager, apparently a standard workhorse:

I presume you mean FTK imager?  Common for asking end (or new) users
to image local disks. Whatever gets the image down, but peaked close
to 10 years ago.

> * Uses SHA-1 and MD5 digests for integrity.

Both digests coupled with a known size (which most disk forensics is
based on), is bad but not as wildly bad as it could be.  Moreover,
they're far more interested in the physical chain-of-custody documents
of a given disk and its image (usually stored offline, on another
disk) than they are the cryptographic soundness of their digest
algorithm. If the latter fails, guess which they trust?

> * No enrollment in append only log

Whose append-only log do you trust, and how do you implement it
isolated from Internet connectivity, which is where most actual
commercial disk forensics is conducted?  If you want a good nasty
shock, take a look at the EWF storage formatt. It's the standard
(outside of just raw images) mainly by attrition.

> This should be fixed. Its like people are working in the stone age.

Be aware that many of those practitioners prefer it that way. They're
not technologists or cryptographers, and many believe in the "court
approved" or "court proven" smoke that established commercial vendors
keep blowing at them. Bear also in mind that most shops doing disk
forensics are law enforcement, former law enforcement, or an
intersection of those with big "more bodies is better" consulting
houses. Slow, manual, and time-consuming are the name of the game
there. When it takes 20-40 man-hours for rapid analysis of a given
image and an environment has thousands of systems and a customer is
paying anywhere between $200 and $500/hr for the work, nobody is in a
hurry to improve anything.

Disk forensics is, for modern shops, the last-ditch effort. Many
stopped trying to do that at scale quite a few years ago. It might be
a market ripe for disruption, but the fruit is something of a durian -
very narrow appeal and an acquired taste.