COMPUTER CRIME & DIGITAL

FORENSIC
CHAPTER FIVE: HASHING

INSTRUCTOR : SAMUEL TAMIRAT

PhD candidate
MAIN POINT

• Hashing
• Hash Function
• Hashing Guideline
• Salting and Peppering
• Hashing characteristics
• Common Hashing algorithms
 HASHING

• Hashing is the process of transforming any given key or a string

of characters into another value.
• This is usually represented by a shorter, fixed-length value or key
that represents and makes it easier to find or employ the original
string.
• The most popular use for hashing is the implementation of hash
tables.
• A hash table stores key and value pairs in a list that is accessible
through its index. Because key and value pairs are unlimited, the
hash function will map the keys to the table size. A hash value then
becomes the index for a specific element.
HASH FUNCTION

• A hash function generates new values according to a

mathematical hashing algorithm known as a hash value
or simply a hash.
• To prevent the conversion of hash back into the
original key, a good hash always uses a one-way hashing
algorithm.
• Hashing is relevant to but not limited to data indexing
and retrieval, digital signatures, cybersecurity and
cryptography.
HASHING GUIDELINE

• Hash function should be able to hash in mass with a reasonable limit to prevent
exploitation.
• Hash digest must be dependent on each bit. This will help In creating as many unique
hashes as possible.
• Prevent hash collision. (Collison occurs when there are two exactly same hash
values/digests.
• Salting & Peppering can help prevent collisions.
SALTING
PEPPERING
HASHING CHARACTERISTICS

• Fixed Output Size:

• Regardless of the input size, a hash function produces a fixed-size output. For example, the
SHA-256 algorithm generates a 256-bit hash value.
• Deterministic:
• The same input will always produce the same hash output. This deterministic nature is
essential for consistency and verification purposes.
• Quick Computation:
• Hash functions are designed to be computationally efficient. They should produce the hash
value quickly, even for large inputs.
HASHING CHARACTERISTICS (CONT.…)

• Avalanche Effect:
• A small change in the input should result in a significantly different hash value. This property
ensures that similar inputs do not produce similar hash codes.
• Pre-image Resistance:
• It should be computationally infeasible to reverse the hash function and obtain the original
input from its hash value.
• Collision Resistance:
• Collisions occur when two different inputs produce the same hash value. A good hash
function minimizes the likelihood of collisions.
COMMON HASHING ALGORITHMS

• MD5 (Message Digest Algorithm 5):

• MD5 produces a 128-bit hash value. However, due to vulnerabilities, it is no longer considered secure for cryptographic
purposes.

• SHA-1 (Secure Hash Algorithm 1):

• SHA-1 produces a 160-bit hash value. Like MD5, SHA-1 is considered insecure due to vulnerabilities, and its use is deprecated.

• SHA-256, SHA-384, SHA-512:

• Part of the SHA-2 family, these algorithms produce hash values of 256, 384, and 512 bits, respectively. They are widely used for
cryptographic purposes.

• bcrypt:
• bcrypt is a key derivation function designed for securely hashing passwords. It includes a cost factor that adjusts the
computational effort required, making it resistant to brute-force attacks.

• Argon2:
• Argon2 is a password hashing algorithm that won the Password Hashing Competition in 2015. It is designed to be memory-hard
and resistant to GPU and ASIC attacks.
HASHING APPLICATION

• Data Integrity:
• Hashing is used to verify the integrity of data during transmission. If the hash value of the received data matches the
expected hash value, the data is likely intact.

• Password Storage:
• Hash functions are employed to securely store passwords. Instead of storing plaintext passwords, systems store the
hash values. During authentication, the entered password's hash is compared with the stored hash.

• Digital Signatures:
• Hashing is used in digital signatures to create a fixed-size representation of a message that is then encrypted with the
sender's private key. The recipient can verify the signature using the sender's public key.

• Blockchain Technology:
• Blockchain relies heavily on hashing for creating secure and tamper-resistant links between blocks. Each block contains a
hash of the previous block, forming a chain.
HASHING FOR DIGITAL FORENSIC

• File hashing is the act of attempting to uniquely identify a file.

• Different hash algorithms can be used for this purpose, but some are weaker than others and are
more likely to have collisions. Some common algorithms are provided.

• Once a file has been hashed, it can be compared with other file hashes.
• A common technique in incident response is to search for a file’s hash value on Google and
determine if the file’s been seen before, and if so what its purpose is.
HASHING FOR DIGITAL FORENSIC
(CONT.…)
• Another technique used in contraband cases is to match a file’s hash value with that of
known contraband images to determine if the file had been seen before.
• In the case of trying to determine if a file is child sexually abusive material, identifying a
file by hash value can help law enforcement prove the images are of a known victim.
• File hashing can also be used to whitelist files based on their signature.
• The white listing process can result in data reduction in a case by removing legitimate
files from a timeline. Doing so runs the risk of removing data from the analyst’s view
because attackers may use legitimate Windows file stopper form their tasks.
SHA1,MD5 HASHING ALGORITHMS