Uncovering Limitations of E01 Self-Verifying Files

Teaching good practice in computer forensics is important to understand the correct operation and limitations of computer forensic hardware and software. One task is to demonstrate the self-verification feature of evidence file formats such as the EnCase E01 file format that contains an image of acquired data. The E01 file contains the data plus extra data in the form of hash values and Cyclic Redundancy Check (CRC) values used by computer forensic software to check the data contained within the file has not been tampered with. Students are taught how to carry out this task and verify the file by making a change to the generated file and observing mismatches between hash values and Cyclic Redundancy Check (CRC) values generated when the data was copied and when the file is loaded into computer forensic software. Whilst creating teaching materials for students to carry out this task an anomaly was identified in one of the forensic file formats, the E01 format, commonly used by practitioners. The anomaly allows changes to be made to certain bytes within the file that are not detected by computer forensic software when verified by the associated hash and CRC values. This paper describes the anomaly in the file format, discussed the implications for relying on the self-verification feature of the E01 file format and concludes on methods to make any change to the file contents detectable. Background

[1]  Tim Berners-Lee,et al.  Creating a Policy-Aware Web: Discretionary, Rule-Based Access for the World Wide Web , 2008 .

[2]  Donald E. Eastlake,et al.  US Secure Hash Algorithm 1 (SHA1) , 2001, RFC.

[3]  R.E. Wilson Outage Analysis and Maintenance Strategies in Hydroelectric Production , 2015 .

[4]  Eoghan Casey,et al.  Handbook of Digital Forensics and Investigation , 2009 .

[5]  Wenbing Zhao Enhancing the Resiliency of Smart Grid Monitoring and Control , 2018 .

[6]  Michael D. Myers,et al.  A classification scheme for interpretive research in information systems , 2001 .

[7]  Brian W. Hollocks Qualitative Research in IS: Issues and Trends , 2002, Eur. J. Inf. Syst..

[8]  D. Deepak,et al.  Information Systems on Hesitant Fuzzy Sets , 2016, Int. J. Rough Sets Data Anal..

[9]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[10]  Martin Boldt,et al.  Analysis and Text Classification of Privacy Policies From Rogue and Top-100 Fortune Global Companies , 2019, Int. J. Inf. Secur. Priv..

[11]  Alok Kumar Shukla,et al.  Building an Effective Approach toward Intrusion Detection Using Ensemble Feature Selection , 2019, Int. J. Inf. Secur. Priv..

[12]  Eoghan Casey,et al.  What does "forensically sound" really mean? , 2007, Digit. Investig..

[13]  Tor Helleseth,et al.  Advances in cryptology, EUROCRYPT '93 : Workshop on the Theory and Application of Cryptographic Techniques, Lofthus, Norway, May 23-27, 1993 : proceedings , 1994 .

[14]  Mehdi Khosrow-Pour,et al.  Printed at: , 2011 .