Similar articles

Abstract: Verifying the integrity of a hard disk is an important concern in computer forensics, as the law enforcement party needs to confirm that the data inside the hard disk have not been modified during the investigation. A typical approach is to compute a single chained hash value of all sectors in a specific order. However, this technique loses the integrity of all other sectors even if only one of the sectors becomes a bad sector occasionally or is modified intentionally. In this paper we propose a k-Dimensional hashing scheme, kD for short, to distribute sectors into a kD space, and to calculate multiple hash values for sectors in k dimensions as integrity evidence. Since the integrity of the sectors can be verified depending on any hash value calculated using the sectors, the probability to verify the integrity of unchanged sectors can be high even with bad/modified sectors in the hard disk. We show how to efficiently implement this kD hashing scheme such that the storage of hash values can be reduced while increasing the chance of an unaffected sector to be verified successfully. Experimental results of a 3D scheme show that both the time for computing the hash values and the storage for the hash values are reasonable.

[1]Chen, B.M., Lee, T.H., Peng, K., Venkataramanan, V., 2006. Hard Disk Drive Servo Systems. Springer, London, p.3-11.

[2]Chow, K.P., Chong, C.F., Lai, K.Y., Hui, L.C.K., Pun, K.H., Tsang, W.W., Chan, H.W., 2005. Digital Evidence Search Kit. 1st Int. Workshop on Systematic Approaches to Digital Forensic Engineering, p.187-194.

[3]Comito, C., Patarin, S., Talia, D., 2007. PARIS: a Peer-to-Peer Architecture for Large-Scale Semantic Data Integration. Proc. Databases, Information Systems, and Peer-to-Peer Computing, p.163-170.

[4]Garber, L., 2001. Computer forensics: high-tech law enforcement. IEEE Comput. Mag., 34(1):22-27.

[5]Gauravaram, P., McCullagh, A., Dawson, E., 2006. Collision Attacks on MD5 and SHA-1: Is This the ‘Sword of Damocles’ for Electronic Commerce? Auscert Asia Pacific Information Technology Security Conf.: Refereed R&D Stream, p.73-88.

[6]Harbour, N., 2002. dcfldd. Defense Computer Forensics Lab. Available from http://dcfldd.sourceforge.net

[7]Hussain, O.K., Dillon, T.S., Chang, E., Hussain, F., 2010. Transactional risk-based decision making system in e-business interactions. Int. J. Comput. Syst. Sci. Eng., 25(1):15-25.

[8]Jiang, Z.L., Hui, L.C.K., Chow, K.P., Yiu, S.M., Lai, P.K.Y., 2007. Improving Disk Sector Integrity Using 3-Dimension Hashing Scheme. Int. Workshop on Foren- sics for Future Generation Communication, p.141-145.

[9]Jiang, Z.L., Hui, L.C.K., Yiu, S.M., 2008. Improving Disk Sector Integrity Using k-Dimension Hashing. Advances in Digital Forensics IV, p.87-98.

[10]Kornblum, J., 2006. Identifying almost identical files using context triggered piecewise hashing. Dig. Invest., 3(Supplement 1):91-97.

[11]Law, F.Y.W., Lai, P.K.Y., Jiang, Z.L., Ieong, R.S.C., Kwan, M.Y.K., Chow, K.P., Hui, L.C.K., Yiu, S.M., Chong, C.F., 2008. Protecting Digital Legal Professional Privilege (LPP) Data. 3rd Int. Workshop on Systematic Approaches to Digital Forensic Engineering, p.91-101.

[12]Mead, S., 2006. Unique file identification in the National Software Reference Library. Dig. Invest., 3(3):138-150.

[13]Merkle, R.C., 1989. A Certified Digital Signature. Advances in Cryptology, p.218-238.

[14]NIST (National Institute of Standards and Technology), 2004. National Software Reference Library (NSRL). Available from http://www.nsrl.nist.gov

[15]Schroeder, B., Gibson, G.A., 2007. Disk Failures in the Real World: What Does an MTTF of 1 000 000 Hours Mean to You? 5th USENIX Conf. on File and Storage Technologies, p.1.

[16]Wang, M., Li, L., Yiu, S.M., Hui, L.C.K., Chong, C.F., Chow, K.P., Tsang, W.W., Chan, H.W., Pun, K.H., 2007. A Hybrid Approach for Authenticating MPEG-2 Streaming Data. Int. Conf. on Multimedia Content Analysis and Mining, p.203-212.