MD5SUM AND MD5: VALIDATING THE EVIDENCE COLLECTED

After you have collected the evidence using any of the means suggested so far in this chapter, you must provide a mechanism for checking, at any time, its validity. If the validity of evidence is not credible, all of the analysis and collection efforts could be considered wasted . Therefore, applying the industry-accepted MD5 checksum as the digital fingerprinting tool for the evidence, you can insure that the data collected several years ago is exactly the same as the version submitted in court .

The md5sum (and md5) tool is available with most open -source Unix operating systems. For Windows, the Cygwin suite of tools contains the md5sum executable. (Refer to Chapter 3 for information about Cygwin.)

Implementation

The tool to calculate the MD5 checksum of a file in Linux is called md5sum and typically comes bundled with most Linux distributions. The options for md5sum are as follows :

 forensic# md5sum --help Usage: md5sum [OPTION] [FILE]...       or:  md5sum [OPTION] --check [FILE] Print or check MD5 (128-bit) checksums. With no FILE, or when FILE is -, read standard input.   -b, --binary            read files in binary mode (default on DOS/Windows)   -c, --check              check MD5 sums against given list   -t, --text               read files in text mode (default) The following two options are useful only when verifying checksums:       --status            don't output anything, status code shows success       -w, --warn          warn about improperly formatted checksum lines       --help              display this help and exit       --version           output version information and exit 

You invoke the tool by providing one parameter, which is the file to be calculated. For forensic purposes, all MD5 checksums will be calculated in binary mode. Therefore, you should use the -b switch at all times.

The following demonstrates calculating the MD5 checksum for several evidence files we duplicated :

 forensic# ls disk.1.bin disk.2.bin disk.3.bin disk.4.bin forensic# md5sum -b * > md5sums.txt 

After we have a listing of files from MD5 checksum, validating the files is an easy process. Validation can be achieved by specifying the -c switch and a file of MD5 checksums.

 forensic# md5sum -c md5sums.txt disk.1.bin: OK disk.2.bin: OK disk.3.bin: OK disk.4.bin: OK 

In the case when at least 1 bit of an evidence file is altered , a checksum mismatch is reported . We opened a binary editor and changed the first bit from a1 to a0 in the disk.4.bin file. If we compare the MD5 checksums with md5sum, we get the following results:

 forensic# md5sum -c md5sums.txt disk.1.bin: OK disk.2.bin: OK disk.3.bin: OK disk.4.bin: FAILED md5sum: WARNING: 1 of 4 computed checksums did NOT match 

The md5sum tool can compute the MD5 checksum of complete hard drives in Unix operating systems. This is because Unix treats hard drives as special files, and md5sum does not notice a difference. Shortly, we will demonstrate how to compare a MD5 checksum of a source hard drive with the checksum from a forensic duplication evidence file.

Note 

It is important to mention that md5sum has been ported to the Windows operating system. Md5sum is part of the Cygwin development distribution you studied in Chapter 3. All the options and switches in the Windows version are exactly the same as those in the Linux version. The only difference in execution we have noticed is that the Windows version does not always imply the -b switch, and that is why we recommend you get into the habit of using it.

In FreeBSD, the MD5 checksum tool is called md5 and is part of the base operating system that operates similar to the Linux and Windows counterparts. The usage of md5 is as follows:

 forensic# md5 <filename> 

Notice that the md5 tool is much simpler than its Linux counterpart , and you do not need to specify the use of a binary mode.

Case Study: Smuggling the Secrets

You work at a successful pharmaceutical company where the discovery of one chemical formula can make or break the players within the industry. Your job isn't to develop these formulas; instead, you are tasked with keeping the monstrous computer resources secure and the proprietary company data safe. Your job was perfect until a fateful Friday afternoon when your telephone rings .

The security guard at the ground floor did a routine search of employees entering and leaving the building. Contained within a hollow compartment of his shoe, Dr. Steve Hansen had hidden a standard floppy disk in hopes the guards would not catch him. Your company's officers task you to perform an initial investigation of this incident, taking great care to collect the data in a forensically sound manner in case they decide to pursue legal recourse against Dr. Hansen. Armed with the tools in this section, you have more than enough resources to determine whether the data on Dr. Hansen's disk was specifically prohibited by your company's policies and constituted theft of trade secrets by U.S. laws.

dd The first action you perform is to flip the tag on the floppy disk in the "read-only" direction. This will prevent, at some level, the contents of the disk from being changed. After that, you fire up your workstation to create a forensic duplication of the source media (the disk). You type the following command line to acquire the floppy drive:

 forensic# dd if=/dev/fd0 of=/mnt/storage/dr_hansen_floppy.bin  conv=notrunc,noerror,sync 2880+0 records in 2880+0 records out 

You did not encounter any errors in your forensic duplication because the input and output records are equal.

Next, you want to mount this duplication in the Linux environment and view its contents. You cannot mount it directly as a file, but you can use the local loopback function within Linux to convert it to a special device file. After it is converted into a device file, you can mount it and view the logical, undeleted files. Because you know that Dr. Hansen isn't the world's most savvy computer user , you bank on the fact that he may not have hidden the data in such a complicated manner that you would have to perform a physical-level analysis of the floppy data. To analyze the logical data, you type the following commands into your workstation:

 forensic# losetup /dev/loop0 /mnt/storage/dr_hansen_floppy.bin forensic# mount -r /dev/loop0 /mnt/evidence forensic# ls -al /mnt/evidence total 30 drwxr-xr-x    2 root     root         7168 Dec 31  1969 . drwxr-xr-x    4 root     root         4096 Apr  9 09:52 .. -rwxr-xr-x    1 root     root        19456 Apr 25  2002 Secret Formula.doc 

Upon opening the Secret Formula.doc file with your favorite editor, you see that it is indeed the formula to the new male balding drug your company has just developed. Your bosses were amazed with your forensic abilities and gave you a lifetime subscription to any of the drugs the company develops. Way to go!

md5sum and md5 You remember that after acquiring the forensic duplication, you need to generate a MD5 checksum of both the floppy contents and the evidence file:

 forensic# md5sum -b /dev/fd0 e9a4ee253a4537886a59a7973241bf20  */dev/fd0 forensic# md5sum -b floppy.bin e9a4ee253a4537886a59a7973241bf20  *dr_hansen_floppy.bin 

Wonderful! Your image is an exact bit-for-bit copy of the source floppy disk.

Note that this command is placed last to keep the printed version of this story consistent with the discussion of the tools in this chapter. You would want to perform the first md5sum command immediately before you duplicate the floppy and the other md5sum command immediately after the duplication is complete.

 


Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2006
Pages: 175

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net