Information Technology Reference
In-Depth Information
is used to make TCP/UDP connections to a server and is also an excellent diagnostic
tool. Netcat typically works in two modes, Server and Client:
server% nc -l -p 30000 ==> (Awaiting input via port 30000 on <server> )
client% nc <server> 30000 ==> (Connection to <server> via port 30000)
Getting back to the topic of acquisition tools, granted that a computer forensics
investigation is carried out on copies and not on the originals, the tools must still
not alter the evidence. Even with copies you have to make sure that their content
is not altered during the investigation. To ensure this you have to have a checking
mechanism that lets you be sure that the evidence (and copies of it) has not been
altered or damaged. The best technique is to create a hash of the image produced.
A hashing algorithm , starting from a data sequence of any length, such as the en-
tire contents of a disk, generates another, much shorter data sequence called a hash
whose contents strictly depend on the original data. The feature of the hashing algo-
rithm that makes them so useful is that even minimal changes in the input data will
produce a completely different hash. There are many hash generating algorithms.
The most important and widely used are SHA-1 (Secure Hash Algorithm, RFC 3174)
and MD5 (Message-Digest Algorithm, RFC 1321). The critical issue with these al-
gorithms is not so much a question of generating a hash that does not let you get back
to the original data but that of avoiding overlapping results, i.e., making the relation-
ship between the input data and the hash as unambiguous as possible. In this moment,
a group of Chinese Cryptologists has presented a paper related to MD5 and SHA-1
cracking. The paper can be found at http://www.iacr.org/conferences/crypto2004/ .
However, we are pretty far from a practical implementation of the proof of concept
expressed in the paper itself. The forensic community advice examiners to perform
either SHA-1 and MD5 on the same image file. In any case, while we wait for NIST
to come up with its final pronouncement on a new hashing standard, many laborato-
ries are carrying out tests with RIPEMD160.
There are many tools, both freeware and commercial, that can generate hashes
of files. For example, a tool included in F.I.R.E. (Forensic and Incident Response
Environment) generates images of disks and a hash of the file created. The tool in
question is called DCFLDD (or EDD for “Enhanced DD”). This software was spe-
cially created for F.I.R.E. and is a tool that extends the potentials of DD (the basic
tool) with a feature that allows the creation of an MD5 hash of the disk image. De-
pending on the options, it is possible to create the hash in a separate output file. It can
also create hashes of subsections of disks (or in general of input data flows) speci-
fying the dimension of the hash window, i.e., specifying the data intervals at which
hashes should be created. We will get into a little more depth on F.I.R.E in the section
on First Response CDs.
Search WWH ::




Custom Search