A recent case with a 320 Gigabyte evidence hard drive that had 145.1 Gigabytes of stored data, contained 127,946 files. This quantity of files appears to be typical of cases encountered in a normal forensic exam, and is far less than the 2^128 number of possible hash values available with the MD5 hash algorithm. While this was a single computer, even a case involving a network with 100 similar computers would result in approximately 12.8 million files, still far less than the MD5 universe will allow.

There is a great analogy which I heard recently, putting these numbers into an understandable perspective. For use in file identification and authentication, there is a greater probability that single individual, from a twelve member jury, will win the Power Ball Lottery sixty days in a row, than an accidental occurrence of two matching MD5 hash values from files that have not been manipulated to collide. It appears that based on the research and the use of sound practices, MD5 and SHA-1 hash algorithms both have a long useful life in Digital and Multimedia Forensics.

Resources

• Xiaoyun Wang and Hongbo Yu http://www.infosec.sdu.edu.cn/uploadfile/papers/How to Break MD5 and Other Hash Functions.pdf
• Lenstra, Wang, and de Weger http://www.win.tue.nl/%7Ebdeweger/CollidingCertificates/
• Stevens, Lenstra, and de Weger http://www.win.tue.nl/hashclash/SoftIntCodeSign/
• MD5 Collision Demo. http://www.mathstat.dal.ca/~selinger/md5collision/
• Steve Mead. Unique File Identification in the National Software Reference Library. http://www.nsrl.nist.gov/Documents/analysis/draft-060530.pdf
• SHA-1 Collision Search Graz http://boinc.iaik.tugraz.at/
• Current Statistics. http://www.allprojectstats.com/po.php?projekt=44
• MD5 Algorithm Visually. http://en.wikipedia.org/wiki/Image:MD5.svg

Don L. Lewis is a Forensic Computer Analyst with the Lakewood, CO Police Department. Don began his Law Enforcement career in 1979 as a Crime Scene Photographer, and Photo Lab Technician. Don has been with the Lakewood PD for 19 years, the last six in computer forensics. Don provides consultation to individuals in law enforcement on the local and national level, trains personnel in conventional and digital imaging, analysis techniques and procedures. Don is currently the Vice Chairman for the Scientific Working Group for Digital Evidence (SWGDE). Don may be reached at dlewis@lakewoodco.org.