Digital Forensics Importance of Hash Values

Hash Values in Digital Forensics
Introduction
Hash values denote condensed representations of digitized or binary content within digital material; however, they offer no additional information pertaining to the contents of any material interpretable by an individual. Moreover, the hash function is algorithms that convert variable-sized text quantities into hash values (which are fixed-sized outputs). Also called “cryptographic hash functions,” they facilitate the development of digital signatures, short textual condensations, and hash tables for the purpose of analysis (Fang et al., 2011; Kumar et al., 2012). In this paper, hash functions and their significance will be addressed.
Description
H (hash function) represents a transformation taking variable-sized input „m? and returning fixed-sized strings (h or hash value; i.e., h = H (m)) (Kumar et al., 2012). The hash functions possessing only the above property can be put to various broad computational uses; however, when applied to cryptography, they normally possess a few extra properties.
The fundamental prerequisites for any cryptographic hash function (H) are as follows:
· Any-length input,
· Fixed-length output,
· H(x) can be computed fairly easily for all x, and
· H(x) is 1-way and collision-free.
A one-way hash function means the function cannot be easily inverted, i.e., given any h (i.e., hash value), it is not computationally feasible to find an input x in such a way that H(x) = h. further, if, given input x, finding yx becomes computationally infeasible such that H(x) = H(y), then H represents a weakly collision-free hash function (Kumar et al., 2012; Rasjid et al., 2017). On the other hand, a strongly collision-free H is a hash function for which finding messages x & y such that H(x) = H(y) isn’t computationally feasible.
Hash values are a concise representation of the longer document or message they were calculated from; a single message digest may be considered a larger document’s \"digital fingerprint.\" Possibly the key function of cryptographic hash functions is providing digital signatures. As hash functions often work more quickly as compared to digital signature algorithms, digital signatures are typically computed to certain documents through working out the document hash value’s signature that is smaller than the actual document (Kumar et al., 2012). In addition, digests may be publicly available without having to reveal the content matter of the actual document it is taken from. This proves crucial within the context of digital time-stamping, as the application of hash functions here can facilitate document time stamping without having to reveal its content matter to the service provider.
Importance of hash function
So long as one-way hash algorithms’ target collision and one-way resistant properties aren’t cracked, hash values computed for the purpose may be applied, forensically, to the following:
1. Digital content’s integrity check
2. Effective file grouping and identification
From the point of view of forensic science, it matters not whether random collision-resistant hash algorithms’ properties are cracked or not. Using the remaining properties, one of the hash values will be provided as either hash values or digital content to compute hash values upon. Thus, other digital content has to have identical hash values. In the case of random collision-resistant, hash values aren’t offered beforehand. It suffices to develop or identify two distinct digital content pieces having identical hash values (Netherlands Forensic Institute, 2018a). The latter fails to transpire within the forensic domain, as digital content is always received or provided with computed hash values affixed to it.
Integrity Check
The chief goal of digital content integrity checks is to detect unintentional modifications in digital content copies. In addition, the integrity check is also capable of identifying certain kinds of intentional manipulations in digital content.
Altering digital information is a fairly simple task, whether accidentally or purposefully. By employing hash values, individuals may inform one another of what digital content they have worked on. Furthermore, they can ascertain whether or not they worked on the same content as a fellow user or analyst (Rasjid et al., 2017). For instance, an individual in the role of, say, digital detective, reported digital content hash value to another individual who is, say, a Biometrics and Digital analyst. The latter re-computes this copied supplied matter’s hash value (Netherlands Forensic Institute, 2018a), and the result is subsequently compared with the previously reported figure. In the event, the outcome doesn’t turn out to be precisely identical to the previous value, and it implies the file was modified somewhere in the intervening time. Hash values cannot reveal where or how the file is different from the former (original) file. However, in the event, the resultant value proves to be perfectly identical to the previous value, it is highly likely that no change has been made to the digital content since calculating the previously reported value.
File Identification and Classification
Generally, hash value application for classifying and identifying files is an effective process, as file hash values are quite small. Files these days are usually exceedingly large in size (at least some gigabytes (GBs), with 1 GB = ~ 1 billion bytes). However, the maximum hash value length that Biometrics and Digital investigators utilize at present is a mere 32 bytes (i.e., 64 characters), thus making it far quicker and simpler to compare file hash values than actual file contents. Moreover, it is far quicker and simpler to communicate file hash values as compared to files’ contents.
Further, hash values prove valuable in the identification of files. For forensic purposes, databases with known classified file hash values are employed. The above technique can be utilized, for instance, whilst identifying files with child pornographic content (Netherlands Forensic Institute, 2018a). For file identification purposes, firstly, the analyst computes the file’s hash value, followed by comparing it with the database hash values. If the database possesses that hash value, a deeper investigation is carried out to compare this file with database outcomes. In this event, the analyst looks into the category wherein this hash value is placed. A database might have hash values of child porn files along with hash values of other files with known, non-applicable content (Kaya & Eris, 2017). This technique renders it feasible and easy to identify relevant files, in addition to excluding irrelevant ones right at the start of the investigation. As it is highly unlikely that this technique will lead to the presentation of two distinct files with identical hash values, the likelihood of wrong classifications may be deemed to be negligible (nearly 0). All hash algorithms that Biometrics and Digital investigators employ are mathematically accounted for, for demonstrating the reason for zero or negligible misclassification risks.
Conclusion
Integrity verification entails checking that content or copies of the content received have incurred no defects in the course of transfer from or to Biometrics and Digital analysts, and in the course of the investigation itself. An identical check is, if possible, carried out at the time of digital content seizures. Digital forensic tools are commonly utilized for computing digital evidence’s hash values. SHA and MD5 hash functions are employed here for calculations and for verifying that datasets aren’t modified on account of the application of diverse evidence gathering and analysis procedures and tools. In addition, owing to the effect evidence has on the investigated subject’s personal life, it is imperative to verify the correct procedure and tool operation.
References
Fang, J., Jiang, Z. L., Yiu, S. M., & Hui, L. C. (2011). An efficient scheme for hard disk integrity check-in digital forensics by hashing with combinatorial group testing. International Journal of Digital Content Technology and its Applications.
Kaya, M., & Eris, M. (2017). Hash-based block matching for digital evidence image files from forensic software tools. World Academy of Science, Engineering, and Technology, International Journal of Computer, Electrical, Automation, Control and Information Engineering, 11(10), 1068-1071.
Kumar, K., Sofat, S., Jain, S. K., & Aggarwal, N. (2012). SIGNIFICANCE of hash value generation in digital forensic: A case study. International Journal of Engineering Research and Development, 2(5), 64-70.
Netherlands Forensic Institute, (2018a). Technical Supplement Forensic Use of Hash Values and Associated Hash Algorithms. Ministry of Justice and security.
Rasjid, Z. E., Soewito, B., Witjaksono, G., & Abdurachman, E. (2017). A review of collisions in cryptographic hash function used in digital forensic tools. Procedia computer science, 116, 381-392.