Security Aspects of Piecewise Hashing in Computer Forensics

back to overview

Reference

Baier, H., & Breitinger, F. (2011). Security Aspects of Piecewise Hashing in Computer Forensics. Paper presented at the IT Security Incident Management and IT Forensics (IMF).

Publication type

Paper in Conference Proceedings

Abstract

Although hash functions are a well-known method in computer science to map arbitrary large data to bit strings of a fixed length, their use in computer forensics is currently very limited. As of today, in a pre-step process hash values of files are generated and stored in a database, typically a cryptographic hash function like MD5 or SHA-1 is used. Later the investigator computes hash values of files, which he finds on a storage medium, and performs look ups in his database. This approach has several drawbacks, which have been sketched in the community, and some alternative approaches have been proposed. The most popular one is due to Jesse Kornblum, who transferred ideas from spam detection to computer forensics in order to identify similar files. However, his proposal lacks a thorough security analysis. It is therefore one aim of the paper at hand to present some possible attack vectors of an active adversary to bypass Kornblum's approach. Furthermore, we present a pseudo random number generator being both more efficient and more random compared to Kornblum's pseudo random number generator.

Persons

Organizational Units

  • Institute of Information Systems
  • Hilti Chair for Data and Application Security

Original Source URL

Link

DOI

http://dx.doi.org/doi:10.1109/IMF.2011.16