k-Dimensional hashing scheme for hard disk integrity verification in computer forensics

Verifying the integrity of a hard disk is an important concern in computer forensics, as the law enforcement party needs to confirm that the data inside the hard disk have not been modified during the investigation. A typical approach is to compute a single chained hash value of all sectors in a specific order. However, this technique loses the integrity of all other sectors even if only one of the sectors becomes a bad sector occasionally or is modified intentionally. In this paper we propose a k-dimensional hashing scheme, kD for short, to distribute sectors into a kD space, and to calculate multiple hash values for sectors in k dimensions as integrity evidence. Since the integrity of the sectors can be verified depending on any hash value calculated using the sectors, the probability to verify the integrity of unchanged sectors can be high even with bad/modified sectors in the hard disk. We show how to efficiently implement this kD hashing scheme such that the storage of hash values can be reduced while increasing the chance of an unaffected sector to be verified successfully. Experimental results of a 3D scheme show that both the time for computing the hash values and the storage for the hash values are reasonable.

[1]  Jesse D. Kornblum Identifying almost identical files using context triggered piecewise hashing , 2006, Digit. Investig..

[2]  Lee Garber,et al.  Computer Forensics: High-Tech Law Enforcement , 2001, Computer.

[3]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.

[4]  C. F. Chong,et al.  Digital evidence search kit , 2005, First International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE'05).

[5]  Tong Heng Lee,et al.  Hard Disk Drive Servo Systems , 2002 .

[6]  Zoe L. Jiang,et al.  Improving Disk Sector Integrity Using 3-dimension Hashing Scheme , 2007, Future Generation Communication and Networking (FGCN 2007).

[7]  Zoe L. Jiang,et al.  Protecting Digital Legal Professional Privilege (LPP) Data , 2008, 2008 Third International Workshop on Systematic Approaches to Digital Forensic Engineering.

[8]  Siu-Ming Yiu,et al.  A Hybrid Approach for Authenticating MPEG-2 Streaming Data , 2007, MCAM.

[9]  Steve Mead,et al.  Unique file identification in the National Software Reference Library , 2006, Digit. Investig..

[10]  Tharam S. Dillon,et al.  Transactional risk-based decision making system in e-business interactions , 2010, Comput. Syst. Sci. Eng..

[11]  Bianca Schroeder,et al.  Disk Failures in the Real World: What Does an MTTF of 1, 000, 000 Hours Mean to You? , 2007, FAST.

[12]  Domenico Talia,et al.  PARIS: A Peer-to-Peer Architecture for Large-Scale Semantic Data Integration , 2005, DBISP2P.

[13]  Zoe L. Jiang,et al.  Improving Disk Sector Integrity Using K-Dimension Hashing , 2008, IFIP Int. Conf. Digital Forensics.