Sciweavers

IMF
2007

Testing Forensic Hash Tools on Sparse Files

14 years 1 months ago
Testing Forensic Hash Tools on Sparse Files
: Forensic hash tools are usually used to prove and protect the integrity of digital evidence: When a file is intercepted by law enforcement, a cryprographic fingerprint is taken by using a forensic hash tool. If later in a court of law the identical fingerprint can be computed from the presented evidence, the evidence is taken to be original. In this paper we demonstrate that most of the freely available forensic hash tools fail to support this conclusion at the file system level for sparse files, a particular class of files in Unix systems that contain holes. We describe an experimental setup by which existing and future hash tools can be easily tested for this border case. In conclusion, we argue that further efforts are necessary to test and validate common forensic hash tools so that the significance of their results can be better judged.
Harish Daiya, Maximillian Dornseif, Felix C. Freil
Added 29 Oct 2010
Updated 29 Oct 2010
Type Conference
Year 2007
Where IMF
Authors Harish Daiya, Maximillian Dornseif, Felix C. Freiling
Comments (0)