[Cryptography] The computer forensics world still using SHA-1

Wed Aug 18 11:49:07 EDT 2021

On Tue, Aug 17, 2021 at 11:23 PM Phillip Hallam-Baker <hallam at gmail.com> wrote:
> These are Merkle-Damgard constructions, so if MD5 can be broken and SHA-1 can be broken, breaking both is simply a matter of breaking them in different blocks.

I am not a cryptographer, but do these breaks still involve padding
the material, or have they progressed to producing in-situ collisions?

> Sure, the physical chain of custody is a backup. But if the defense is alleging the materials were tampered with, show the hash is broken and the case is toast.

I'm afraid you must invert your assumption - chain of custody is the
primary protection as far as the courts tend to be concerned; matching
digests are mainly convenient. I have first-hand experience in cases
where the logged checksum at acquisition was incorrect; they didn't go
to court, but we always worked with that end in mind. We logged the
difference, noted that the CoC and size of the image checked out, and
proceeded, noting the discrepancy on the CoC. To echo Natanel's point,
it typically rests on the opposing side to prove that the discrepancy
is material, not that it simply exists.

> I doubt that automating the chain of custody verification, changing to a secure digest, etc. is going to reduce the number of consulting hours.
>
> It will make filling in time sheets a lot easier though.

You might be surprised. On the commercial side they already bill in
15-minute increments, and adopting new technology is expensive
(capital, operations, and nonproductive education hours). On the LE
side, it's often just one (maybe two) cops in a department that do
digital forensics part time.

> And for the vendors, do they really want to see their products exposed on the evening news?

I suspect that they're largely indifferent. They're in a comfortable,
established space that's cozy with all active participants.

To be clear: I'm with you, I'm not defending the industry in the
slightest, I think that the entire disk forensics space is backwards
and in desperate need of cleanup. I'm just cynical about the chances
that anything might be done in something approaching what you might
consider a reasonable timeline.

Finally, to be fair: in a disk forensics course, they probably chose
MD5/SHA1 for performance reasons, FTK Imager is appallingly slow when
producing digests. Much in-production imaging is already using SHA256.