Current Issues in Digital Forensics

There were fourteen research papers that were presented during the 2011 DFRWS convention. I have decided to choose a paper entitled “An evaluation of forensic similarity hashes” written by Vassil Rousev, a faculty member of University of New Orleans, USA. I chose this topic since hashing is one of the best method to ensure the integrity of the data. As a future Digital forensics investigator, knowing hash functions by heart is paramount.

I have learned from my previous Digital Forensic course about the basic principle on electronic evidence, that is, “original media must never be modified in any way at all possible.” In other words, the integrity of the evidence must be maintained, otherwise, such evidence will get thrown out in court. Thus, it is very important to follow a strict set of procedures to ensure a proper (i.e. admissible) extraction of any evidence that may exist on the subject computer (Forensicon, not dated).

A hash, also called a digest, is a unique string of data (Computer Security Training, not dated). It is a well-defined procedure or mathematical function for turning some kind of data into a relatively small integer. The values returned by a hash function are called hash values, hash codes, hash sums, or simply hashes (sce.uhcl.edu not dated). Rousev (2011) described it as a routinely used to validate data integrity and identify known content.

Hash values are used to identify and filter duplicate files (i.e. email, attachments, and loose files) from an ESI collection or verify that a forensic image or clone was captured successfully (PinpointLabs, December 2010).

Hashing is a very important part of Computer Forensic investigation particularly in the aspect of evidence preservation. I have learned that through hash functions, evidence can be authenticated. This way, investigator can prove that all of the images are exactly the same.

I have also learned that hash value is also known as a digital fingerprint of the acquired media. It is...