Marsh Computer Forensics, LLC
Post Office Box 246 Chehalis WA 98532-0246
February 19, 2008
This
document is intended as an introduction for private investigators and
others who need to document the authenticity of computer files
generated by digital cameras, voice recorders, and so on. It is
assumed that the reader has a working understanding of how digital
devices store information and is proficient at moving files from one
device to another.
The computer forensics
community has been dealing with authenticating computer files from the
beginning. With any digital evidence, you need to take a
cryptographic "hash," often described as the computer file equivalent
of a fingerprint, at the first practical opportunity. The hashing
program applies a very complex mathematical algorithm to the file and
produces a fixed length hexadecimal value peculiar to that file.
You can't recover the original file from the hash value, and any change
in the file by so much as one bit will generate an entirely different
hash value. I suggest using the US Government's Secure Hashing Algorithm 1
(SHA-1). Message Digest 5 (MD5) is also popular, but it has been
successfully attacked so I no longer use it for
authentication.
If your computer sees the file on
the device (be it a camera, digital voice recorder, or what have you)
when you attach it, take the hash at that time. Otherwise, take
the hash as soon as you've downloaded it to your computer. Either
way, document what you did and why (especially if it differs from what
you normally do). Log the hash sum(s) and the file name(s) to a
text file. You can then print this out and authenticate it like
any other hardcopy document.
Any copy
of the file will yield the same hash. Any time you copy the file,
check the hash value of the copy and make sure it matches. If you
modify the file in any way (this includes rotating an image from
portrait to landscape, making it lighter or darker, etc) save the new
version under a different file name, log it, and include it in your
report along with the original.
Here's a link to the Wikipedia article on hashing. http://en.wikipedia.org/wiki/Hash_function
There are plenty of good, free hashing programs to be had. I find Hash-on-Click from 2BrightSparks easy to use, but there are many others.
Finally,
after you've obtained your hashing program, validate it on your own so
you can say under oath, "I know it works as advertised because I tested
it myself." The National Institute of Standards and Technology has a set of vector files for this purpose here http://www.nsrl.nist.gov/testdata/ in the National Software Reference Library.
The hash value generated by the tool you are testing should match that
published by NIST for that vector file. As always, document,
document, document. Write up a report describing your testing and
results for each software tool and keep it on file.
Sound like a lot of trouble? Welcome to handling digital evidence! Hope this helps.
Neil R. Marsh, CFCE
Principal WA PI #2840