Authenticating the Incident Data
As a general rule, all criminals or perpetrators leave evidence behind. What you have collected as evidence during and/or after an incident must be proven to be the same as what was left behind during a criminal or unauthorized activity. Both proof of integrity and time stamping are provided by calculating a value that represents an electronic footprint. This is a cryptographic technique, and the value is called a hash. All forensic utility suites include the software to calculate hash values.
MD5 (Message Digest), as described in IETF RFC 1321, and SHA (Secure Hash Algorithm) can be used to create a hash of the entire diskette, or hard drive, or individual files, as needed.
The MD5 algorithm takes a message of arbitrary length as input and produces a 128-bit fingerprint or message digest output. It is conjectured that it is computationally infeasible to produce two messages having the same message digest or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications in which a large file must be compressed in a secure manner before it is encrypted with a private (secret) key with a public-key cryptosystem, such as RSA. In essence, MD5 is a way to verify data integrity and is much more reliable than checksum and many other commonly used methods. SHA is the basis for the U.S. Secure Hash Signature Standard SHA-1. This standard is also used for computing a condensed representation of a message or a data file. SHA-1 produces 160-bit output, called a message digest, of any message that is less than 264 bits. SHA-1 is called secure because it is considered computationally infeasible to find a message that corresponds to a given message digest or to find two different messages that produce the same message digest.
An example of the use of the MD5 utility to create a hash of the suspect system's disk from your system's clean (known good) mounted CD is shown below. Ensure that the object you are fingerprinting is not accepting active writes. The following command assumes that you are on the suspect system and that sdisk is the suspect system disk.
# /mnt/bin/md5 /dev/sdisk fd834eafd2546cdbaf09e817645af34d /dev/sdisk
On the known good, collection host, where you will create image copies of the suspect disk, run MD5 (again) against the image file, as in the following example.
# md5 suspect_sdisk_img
Now, comparing the two hash values, you can make sure that the hash value of the suspect disk has not changed in the process of image creation.
A common practice in many tools, such as Tripwire, is to use multiple hash algorithms. For more information, go to: http://www.sun.com/software/security/tripwire/
Make sure you record the values of hashes created so that later in the analysis (and in the prosecution of the incident if it is pursued), you can prove that the copies of the data you are using for your examination are identical to the original data collected as evidence of an incident.
The images of hard drives and any volatile information saved before shutting down a suspect machine are also candidates for time stamping. Some examples are:
Collection of proofs of ongoing unauthorized or suspect activities, which might include items such as log files, sniffer output, and outputs from firewalls and intrusion detection systems
Output from any reports or searches performed on a suspect (compromised) machine, including a list of all files and their associated access times
Typed copies of the investigative team's daily notes