[Cryptography] The computer forensics world still using SHA-1

Phillip Hallam-Baker hallam at gmail.com
Wed Aug 18 01:23:45 EDT 2021 

On Tue, Aug 17, 2021 at 10:44 PM RB <aoz.syn at gmail.com> wrote:

> Fair disclosure: I am a practitioner (albeit former), and work
> developing modern tooling for processes a couple of iterations beyond
> the subject at hand.
>
> On Tue, Aug 17, 2021 at 3:00 PM Phillip Hallam-Baker
> <phill at hallambaker.com> wrote:
> > I just started a forensics course so I could find out more about the
> current state of the art.
> >
> > Commercial product TK-Imager, apparently a standard workhorse:
>
> I presume you mean FTK imager?  Common for asking end (or new) users
> to image local disks. Whatever gets the image down, but peaked close
> to 10 years ago.
>

Yup



> > * Uses SHA-1 and MD5 digests for integrity.
>
> Both digests coupled with a known size (which most disk forensics is
> based on), is bad but not as wildly bad as it could be.  Moreover,
> they're far more interested in the physical chain-of-custody documents
> of a given disk and its image (usually stored offline, on another
> disk) than they are the cryptographic soundness of their digest
> algorithm. If the latter fails, guess which they trust?
>

These are Merkle-Damgard constructions, so if MD5 can be broken and SHA-1
can be broken, breaking both is simply a matter of breaking them in
different blocks. Easy.

Sure, the physical chain of custody is a backup. But if the defense is
alleging the materials were tampered with, show the hash is broken and the
case is toast.


> > * No enrollment in append only log
>
> Whose append-only log do you trust, and how do you implement it
> isolated from Internet connectivity, which is where most actual
> commercial disk forensics is conducted?


My technical solution is for each user of the Mesh and each Mesh service
provider to run their own logs. Periodically, each Mesh used cross notifies
with their service provider, thus locking the two logs so that neither can
defect without the other detecting the breach. Every Mesh service provider
then cross certifies with the callsign registry locking every service
provider to the registry log, and thus every service provider to every
service provider and every user to every user.

I would expect NIST to participate if this was to be evidence grade. So the
ultimate authority of the integrity of the log enrollments is going to be
NIST as far as the US courts are concerned, BSI for the UK etc. Everyone is
their own ultimate authority.



> If you want a good nasty
> shock, take a look at the EWF storage formatt. It's the standard
> (outside of just raw images) mainly by attrition.


Already done, am shocked.

> This should be fixed. Its like people are working in the stone age.
>
> Be aware that many of those practitioners prefer it that way. They're
> not technologists or cryptographers, and many believe in the "court
> approved" or "court proven" smoke that established commercial vendors
> keep blowing at them. Bear also in mind that most shops doing disk
> forensics are law enforcement, former law enforcement, or an
> intersection of those with big "more bodies is better" consulting
> houses. Slow, manual, and time-consuming are the name of the game
> there. When it takes 20-40 man-hours for rapid analysis of a given
> image and an environment has thousands of systems and a customer is
> paying anywhere between $200 and $500/hr for the work, nobody is in a
> hurry to improve anything.
>

I doubt that automating the chain of custody verification, changing to a
secure digest, etc. is going to reduce the number of consulting hours.

It will make filling in time sheets a lot easier though.

And for the vendors, do they really want to see their products exposed on
the evening news?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210818/8a0418f4/attachment.htm>

More information about the cryptography mailing list