Abstract
Verifying the integrity of a hard disk is an important concern in computer forensics, as the law enforcement party needs to confirm that the data inside the hard disk have not been modified during the investigation. A typical approach is to compute a single chained hash value of all sectors in a specific order. However, this technique loses the integrity of all other sectors even if only one of the sectors becomes a bad sector occasionally or is modified intentionally. In this paper we propose a k-dimensional hashing scheme, kD for short, to distribute sectors into a kD space, and to calculate multiple hash values for sectors in k dimensions as integrity evidence. Since the integrity of the sectors can be verified depending on any hash value calculated using the sectors, the probability to verify the integrity of unchanged sectors can be high even with bad/modified sectors in the hard disk. We show how to efficiently implement this kD hashing scheme such that the storage of hash values can be reduced while increasing the chance of an unaffected sector to be verified successfully. Experimental results of a 3D scheme show that both the time for computing the hash values and the storage for the hash values are reasonable.
Similar content being viewed by others
References
Chen, B.M., Lee, T.H., Peng, K., Venkataramanan, V., 2006. Hard Disk Drive Servo Systems. Springer, London, p.3–11.
Chow, K.P., Chong, C.F., Lai, K.Y., Hui, L.C.K., Pun, K.H., Tsang, W.W., Chan, H.W., 2005. Digital Evidence Search Kit. 1st Int. Workshop on Systematic Approaches to Digital Forensic Engineering, p.187–194. [doi:10.1109/SADFE.2005.10]
Comito, C., Patarin, S., Talia, D., 2007. PARIS: a Peer-to-Peer Architecture for Large-Scale Semantic Data Integration. Proc. Databases, Information Systems, and Peer-to-Peer Computing, p.163–170. [doi:10.1007/978-3-540-71661-7_15]
Garber, L., 2001. Computer forensics: high-tech law enforcement. IEEE Comput. Mag., 34(1):22–27. [doi:10. 1109/MC.2001.10008]
Gauravaram, P., McCullagh, A., Dawson, E., 2006. Collision Attacks on MD5 and SHA-1: Is This the ’sword of Damocles’ for Electronic Commerce? Auscert Asia Pacific Information Technology Security Conf.: Refereed R&D Stream, p.73–88.
Harbour, N., 2002. dcfldd. Defense Computer Forensics Lab. Available from http://dcfldd.sourceforge.net
Hussain, O.K., Dillon, T.S., Chang, E., Hussain, F., 2010. Transactional risk-based decision making system in ebusiness interactions. Int. J. Comput. Syst. Sci. Eng., 25(1):15–25.
Jiang, Z.L., Hui, L.C.K., Chow, K.P., Yiu, S.M., Lai, P.K.Y., 2007. Improving Disk Sector Integrity Using — Dimension Hashing Scheme. Int. Workshop on Forensics for Future Generation Communication, p.141–145.
Jiang, Z.L., Hui, L.C.K., Yiu, S.M., 2008. Improving Disk Sector Integrity Using k-Dimension Hashing. Advances in Digital Forensics IV, p.87–98. [doi:10.1007/978-0-387-84927-0_8]
Kornblum, J., 2006. Identifying almost identical files using context triggered piecewise hashing. Dig. Invest., 3(Supplement 1):91–97. [doi:10.1016/j.diin.2006.06.015]
Law, F.Y.W., Lai, P.K.Y., Jiang, Z.L., Ieong, R.S.C., Kwan, M.Y.K., Chow, K.P., Hui, L.C.K., Yiu, S.M., Chong, C.F., 2008. Protecting Digital Legal Professional Privilege (LPP) Data. 3rd Int. Workshop on Systematic Approaches to Digital Forensic Engineering, p.91–101. [doi:10.1109/SADFE.2008.19]
Mead, S., 2006. Unique file identification in the National Software Reference Library. Dig. Invest., 3(3):138–150. [doi:10.1016/j.diin.2006.08.010]
Merkle, R.C., 1989. A Certified Digital Signature. Advances in Cryptology, p.218–238.
NIST (National Institute of Standards and Technology), 2004. National Software Reference Library (NSRL). Available from http://www.nsrl.nist.gov
Schroeder, B., Gibson, G.A., 2007. Disk Failures in the Real World: What Does an MTTF of 1 000 000 Hours Mean to You? 5th USENIX Conf. on File and Storage Technologies, p.1.
Wang, M., Li, L., Yiu, S.M., Hui, L.C.K., Chong, C.F., Chow, K.P., Tsang, W.W., Chan, H.W., Pun, K.H., 2007. A Hybrid Approach for Authenticating MPEG-2 Streaming Data. Int. Conf. on Multimedia Content Analysis and Mining, p.203–212. [doi:10.1007/978-3-540-73417-8_27]
Author information
Authors and Affiliations
Corresponding author
Additional information
The two authors contributed equally to this work
Project supported by the Research Grants Council of Hong Kong SAR, China (No. RGC GRF HKU 713009E), the NSFC/RGC Joint Research Scheme (No. N_HKU 722/09), and HKU Seed Fundings for Basic Research (Nos. 200811159155 and 200911159149)
Rights and permissions
About this article
Cite this article
Jiang, Z.L., Fang, Jb., Hui, L.C.K. et al. k-Dimensional hashing scheme for hard disk integrity verification in computer forensics. J. Zhejiang Univ. - Sci. C 12, 809–818 (2011). https://doi.org/10.1631/jzus.C1000425
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1631/jzus.C1000425