±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35880
New Yesterday: 1 Visitors: 125

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Let's talk about MD5

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3, 4  Next 

Should we stop using MD5 completey?

9
23%

28
73%

1
2%

 
Total Votes: 38

  

Chris_Ed
Senior Member
 

Let's talk about MD5

Post Posted: Sep 05, 12 14:37

Good morning,

I'd like to talk about MD5.

MD5 is a large part of digital forensic life. The 3 most popular commercial imaging tools (EnCase, FTK, XWF) use MD5 by default to verify the results of the forensic imaging process. Hashsets used to identify file groups are commonly MD5 (in fact I'm not sure EnCase v6 even lets you use a different algorithm to hash individual files).

Now, it is well known that MD5 is "broken". In 2008, in fact, the "US-CERT" group specifically asked software developers to "avoid using the MD5 algorithm in any capacity" (they even put "Do not use the MD5 algorithm" in bold). It is relatively straightforward to produce an MD5 collision using tools readily available on the internet.

Does this mean we, as responsible Digital Forensicators, should throw MD5 out the window? Is it even possible, given some software reliance on it?

Personally, I'm not sure it matters. I have yet to see data manipulated in a significant way and yet still produce the same MD5 - for example, taking an image and completely altering it. Or changing a text file from reading "hey, i love that guy!" to "OH MAN I WISH I COULD MURDER HIM". Or injecting an incriminating JPEG into an E01 file and having it still verify correctly.

I'm not an arrogant person, and I'm more than happy to change my mind as long as the reasons are valid. So I ask you, FF, should we dispose of MD5 forever, or is it still a valid way of verifying file integrity?

(This post was inspired by Jon Stewart's excellent blog post, by the way - read it!)  
 
  

AlexC
Senior Member
 

Re: Let's talk about MD5

Post Posted: Sep 05, 12 15:02

Thinking outside the box for a moment - the fact that you can craft two executables with different functionality but the same MD5 is more worrying to me (and more impressive and more useful).

www.mscs.dal.ca/~selin...collision/

And even with signed code: blog.didierstevens.com...ollisions/

Hiding malicious activity in executables marked in a hash set as being benign... that's neat.  
 
  

mscotgrove
Senior Member
 

Re: Let's talk about MD5

Post Posted: Sep 05, 12 15:29

Most use of MD5 is as a digital signature to indicate that a file has not been changed. For this I would argue it is fine.

The problem is when someone very able creates files with benign MD5 values (eg to match a distributed microsoft file). This would be a very deliberate act and not a chance collision. If discovered it would raise questions very quickly.

If an investigator is looking for files based on just MD5 values then they must be aware of possible problems and should currently use SHA-1 or better. If it is just to detect corruption in a disk image, then MD5 should be fine.
_________________
Michael Cotgrove
www.cnwrecovery.com
www.goprorecovery.co.uk 
 
  

Chris_Ed
Senior Member
 

Re: Let's talk about MD5

Post Posted: Sep 05, 12 15:30

It is neat! And I can see how it compromises software which relies on md5s for security. But even then, you can't generate a "targetted" MD5 collision - in the comments he specifically mentions this.

I am asking because I have seen talk that recently, a defence attorney successfully argued that the digital evidence could not be relied upon because the md5 algorithm is compromised. My feeling is that this is wrong, in a digital forensics context - once you have acquired your data (and produced an MD5 checksum), even with what we know about MD5 collisions, you cannot significantly change this data and produce the same checksum.

However, I recognise that I may be totally wrong on this. Smile  
 
  

AlexC
Senior Member
 

Re: Let's talk about MD5

Post Posted: Sep 05, 12 16:14

- mscotgrove
Most use of MD5 is as a digital signature to indicate that a file has not been changed. For this I would argue it is fine.


I agree, I guess my question would be (call me Mr. D. Advocate): "What if during the course of your investigation you had to deal with one of the situations where the "broken-ness" of MD5 mattered, why not use a hash which isn't substantially broken in any regard anyway?"

The answer to which I suspect would run along the lines of: "All of our hash sets use MD5, so that's totally impractical"

In which case: "Well that's fair enough...we better start making SHA-2 hash sets then..."

Another interesting angle is one of storage and efficiency: SHA-512 hashes take up more space than MD5s, for particularly large hash sets this could perceivably become an issue; I also wonder if there would be a meaningful increase (or decrease) in processing time if you had to hash a well populated file system using SHA-512 vs. MD5, because, as we are all aware, time=money.  
 
  

AlexC
Senior Member
 

Re: Let's talk about MD5

Post Posted: Sep 05, 12 16:17

- Chris_Ed
I am asking because I have seen talk that recently, a defence attorney successfully argued that the digital evidence could not be relied upon because the md5 algorithm is compromised.


Reminds me of this case: www.thenewspaper.com/n...0/1033.asp

Where, of course, the defence argument is totally insane, but worked.  
 
  

Jonathan
Senior Member
 

Re: Let's talk about MD5

Post Posted: Sep 05, 12 16:36

- Chris_Ed
I have seen talk that recently, a defence attorney successfully argued that the digital evidence could not be relied upon because the md5 algorithm is compromised)


That sounds unlikely - can you provide a link to the case? If not I'm putting it down as forensic folklore! Wink

Back to the main discussion. Most examinations benefit from hashing every file in an image, and then checking them against a list of known 'irrelevant' hashes in order to disregard those files from further analysis

If there is a straightforward/automated method to alter the MD5 hashes of a group of 'illegal' files to the MD5 hashes of known 'irrelevant' files then this would fool the vast majority of forensic examiners who filter for known 'irrelevant' files. If you think that this is a reasonable possibility then do not use MD5.
_________________
Forensic Control
twitter.com/ForensicControl
St Bride Foundation, 14 Bride Lane, London, EC4Y 8EQ 
 

Page 1 of 4
Page 1, 2, 3, 4  Next