Certified Cybersecurity Technician Computer Forensics PDF Exam 212-82
Document Details
Uploaded by barrejamesteacher
null
Tags
Related
- Certified Cybersecurity Technician Computer Forensics Exam 212-82 PDF
- Certified Cybersecurity Technician Computer Forensics Exam 212-82 PDF
- Data Acquisition Methodology PDF
- Certified Cybersecurity Technician Exam 212-82 Data Sanitization PDF
- Chapter 20 - Data Acquisition PDF
- Guide to Computer Forensics and Investigations 6th Edition PDF
Summary
This document discusses data acquisition and validation methods in computer forensics, focusing on hash values and algorithms like CRC-32, MD5, SHA-1, and SHA-256. It covers how these algorithms are used to verify data integrity and validates the completeness of data acquisition.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Computer Forensics Step 8:Validate Data Acquisition Validating data acquisition involves calculating the hash...
Certified Cybersecurity Technician Exam 212-82 Computer Forensics Step 8:Validate Data Acquisition Validating data acquisition involves calculating the hash value of the target media and comparing it with its forensic OO ©O counterpart to ensure that the data is completely acquired The unique number (hash value) is referred to as a “digital fingerprint” As hash values are unique, if two files have the same hash value, they are 100% identical even if the files are named (©© differently Utility algorithms that produce hash values include CRC-32, ® MDS5, SHA-1, and SHA-256 Step 8: Validate Data Acquisition An important aspect of computer forensics is the validation of digital evidence. This is essential to verify the integrity of the data. Validating data acquisition involves calculating the hash value of the target media and comparing it with its forensic counterpart to ensure that the data has been completely acquired. The unique number (hash value) is referred to as a digital fingerprint, which represents the uniqueness of a file or disk drive. When two files have the same hash values, they are considered identical, even if they have different filenames, as the hash values are generated based on their actual content. Even a slight modification in the content of a file changes its hash value completely. Further, a hash is a one-way function, which implies that decryption is impossible without a key. The following are some hashing algorithms that can be used to validate the data acquired: ®= CRC-32: Cyclic redundancy code algorithm-32 is a hash function based on the idea of polynomial division. The number 32 indicates that the size of the resulting hash value or checksum is 32 bits. The checksum identifies errors after data transmission or storage. = MDS5: This is an algorithm used to check data integrity by creating a 128-bit message digest from data input of any length. Every MD5 hash value is unique to that particular data input. * SHA-1: Secure Hash Algorithm-1 is a cryptographic hash function developed by the United States National Security Agency, and it is a US Federal Information Processing Standard issued by NIST. It creates a 160-bit (20-byte) hash value called a message digest. This hash value is a 40 digits long hexadecimal number. Module 20 Page 2295 Certified Cybersecurity Technician Copyright © by EC-Council EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics = SHA-256: This is a cryptographic hash algorithm that creates a unique and fixed-size 256-bit (32-byte) hash. Therefore, it is ideal for anti-tamper technologies, password validation, digital signatures, and challenge hash authentication. Module 20 Page 2296 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Step 8:Validate Data Acquisition - Windows Validation Methods Windows computers come with PowerShell utility, which has the ability to run cmdlet OO0oDO0OD The Get-FileHash cmdlet computes the hash value for an evidence file by using the specified hash algorithm [ This hash value is used throughout the investigation for validating the integrity of the evidence Investigators can also use commercial computer forensics programs, which have built-in validation features that can be used to validate the evidence files QO Forinstance: LY ¥ famenitrator Asmevitenter Wndows Windows Pomerined Pomeriel - o] o x =* ProDiscover’s.eve files contain metadata in segmented files or acquisition files, including the hash value for the original media * When you load the image to ProDiscover, it compares the hash value of this image to the hash value of the original media = |If|f the hashes do not match, the tool notifies that the image is corrupt, implying that the evidence cannot be considered reliable Note: In most computer forensics tools, raw format image files do not contain metadata. For raw acquisitions, therefore, a separate manual validation is recommended during analysis. Copyright © by NI ANl Rights Reserved. Reproduction is Strictly Prohibited. Step 8: Validate Data Acquisition - Windows Validation Methods = Windows computers come with PowerShell utility, which has the ability to run cmdlet =* The Get-FileHash cmdlet computes the hash value for an evidence file by using the specified hash algorithm = This hash value is used throughout the investigation for validating the integrity of the evidence E¥ Administrator: Windows PowerShell —- [m} [m] X PS C:\WINDOWS\system32> G| ; | Format-list Algorithm : MD5 ; : 16A4926812953067013B36E8E2C8DCDD : D:\Forensics\Image Files\Evidence_1908.dd MPS PS C:\WINDOWS\system32> Figure 20.20: Computing hash value *= |Investigators |nvestigators can also use commercial computer forensics programs, which have built-in validation features that can be used to validate the evidence files = Forinstance: o ProDiscover’s.eve files contain metadata in segmented files or acquisition files, including the hash value for the original media Module 20 Page 2297 Certified Cybersecurity Technician Copyright © by EG-Gouncil EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics o When you load the image to ProDiscover, it compares the hash value of this image to the hash value of the original media o If the hashes do not match, the tool notifies that the image is corrupt, implying that the evidence cannot be considered reliable Note: In most computer forensics tools, raw format image files do not contain metadata. For raw acquisitions, therefore, a separate manual validation is recommended during analysis. Module 20 Page 2298 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.