Sunday, December 23, 2018

The malware did it, I swear!

A couple of months back, someone posted on the Forensic Focus forums raising the possibility that a hacker or malware was responsible for some child abuse images found on a relative's computer.  I responded at some length, but I also wanted to post here to lay out some of my thoughts on this defense.  For some background, please see Chad Steel's excellent article.  The defense seems to have been mostly unsuccessful but it is raised occasionally and appears to have been successful in a couple of early cases.  I hope here to point out some reasons why the defense should be avoided (absent clear evidence that it actually happened) and to give some ideas for refuting it.

As laid out in Steel's article, the defense is based primarily on the fact that it is technically possible that a hacker could plant contraband images, or that some malware could distribute them.  And it is technically possible.  It's also wildly improbable. Here are the issues:

Wednesday, December 19, 2018

MD5 should not be used in forensics (or anywhere else)

A few days ago, I drafted (but had not yet published) a post about using MD5 for validating or authenticating evidence in digital forensics.  MD5 has had security problems for twenty years, but it's still been used in forensics, although the trend has been toward SHA-1 (which has some problems of its own) and SHA-2.

After drafting the post, I discovered that the Scientific Working Group on Digital Evidence has released a draft endorsing the use of MD5 and SHA-1.  I wrote in to share my concerns, but I also reached out to some cryptographers via Twitter.  Dr. Marc Stevens, a cryptographer known for his expertise in attacking MD5 and other hash functions, released a series of tweets that was even more critical of MD5 than I anticipated and that was incredibly damning for any forensic expert who continues to rely on MD5.

Understanding Scope in Go

As per my New Year's resolution, I've been learning to program in Go and reading  The Go Programming Language .   On page 141 of the...