Difference between pages "Hashing" and "Global Positioning System"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(added Hashkeeper reference, Sun fingerprints, commented Online NSRL downtime)
 
(External Links)
 
Line 1: Line 1:
'''Hashing''' is a method for reducing large inputs to a smaller fixed size output. When doing forensics, typically cryptographic hashing algorithms like [[MD5]] and [[SHA-1]] are used. These functions have a few properties useful to forensics. Other types of hashing, such as [[Context Triggered Piecewise Hashing]] can also be used.
+
The '''Global Positioning System''' ('''GPS''') is a satellite navigation system.
  
== Tools ==
+
== Forensics ==
There are literally hundreds of hashing programs out there, but a few related to forensics are:
+
  
* [[md5sum]] - Part of the [[GNU]] coreutils suite, this program is standard on many computers.
+
There are several places where GPS information can found. It can be very useful for forensic investigations in certain situations. GPS devices have expanded their capabilites and features as the technology has improved. Some of the most popular GPS devices today are made by [http://www.TomTom.com TomTom]. Some of the other GPS manufacturors include [http://www.garmin.com Garmin] and [http://www.magellangps.com Magellan].
* [[md5deep]] - Computes hashes, recursively if desired, and can compare the results to known values.
+
* [[ssdeep]] - Computes and matches [[Context Triggered Piecewise Hashes]].
+
  
==Hash Databases==
+
[http://www.cortextech.com/tomtom910.jpg Picture of TomTom910]
; [[National Software Reference Library ]]
+
: The largest hash database.
+
; [[Hashkeeper]]
+
: National Drug Intelligence Center
+
; http://sunsolve.sun.com/fileFingerprints.do
+
: Solaris Fingerprint Database lookup for files distributed by Sun Microsystems
+
  
==Online NSRL Lookup==
+
TomTom provides a wide range of devices for biking, hiking, and car navigation. Depending on the capabilities of the model, several different types of digital evidence can be located on these devices. For instance, the [http://www.tomtom.com/products/product.php?ID=212&Category=0&Lid=1 TomTom 910] is basically a 20GB external harddrive. This model can be docked with a personal computer via a USB cable or through the use of Bluetooth technology. The listed features include the ability to store pictures, play MP3 music files, and connect to certain cell phones via bluetooth technology. Data commonly found on cell phones could easily be found on the TomTom910. Via the Bluetooth, the TomTom can transfer the entire contact list from your phone. The GPS unit also records your call logs and SMS messages. Research needs to be done to see if the TomTom stores actual trips conducted with the unit. This would include routes, times, and travel speeds.  
; http://ionrift.ath.cx/nsrl/
+
: Allows searching of NSRL 2.17 by MD5 or SHA1. Reportedly the dataset contains 43,103,492 files.
+
: (Infrequently available, and likely only when the site owner (Jason Spashett) needs to use it himself.)
+
  
==MD5 Reverse Hash Services==
+
The TomTom unit connects to a computer via a USB base station. An examiner should be able to acquire the image of the harddrive through a USB write blocker. If not, it may be necessary to remove the hard drive from the unit.  
There are several online services that allow you to enter a hash code and find out what the preimage might have been. One way to find these services is to google for 'd41d8cd98f00b204e9800998ecf8427e' (the MD5 of the null string).
+
  
Here are some services that we have been able to find:
+
=== Digital Camera Images with GPS Information ===
  
; http://nz.md5.crysm.net/
+
Some recent digital cameras have built-in GPS receivers (or external modules you can connect to the camera). This makes it possible for the camera to record where extactly a photo was taken. This positioning information (latitude, longitude) can be stored in the [[Exif]] [[metadata]] header of [[JPEG]] files. Tools such as [[jhead]] can display the GPS information in the [[Exif]] headers.
: MD5 reverse lookup, operated by  Stephen D Cope. As of December 2007 this database had 28 million MD5 hashes. The author states that the database is divided into 256 MySQL tables to make the problem more tractable. The database claims to include every two, three, and four digit combination, all dictionary words, and a pile of user-submitted data. But the author also states that they are attempting to calculate and index all possible MD5 indexes. Of course, this is an impossibility.
+
  
; http://us.md5.crysm.net/
+
=== Cell Phones with GPS ===
: Similar to the NZ server, but with only 16 million MD5 hashes.
+
  
; http://md5.benramsey.com
+
Some recent cell phones (e.g. a [http://wiki.openezx.org Motorola EZX phone] such as the Motorola A780) have a built-in GPS receiver and navigation software. This software might record the paths travelled (and the date/time), which can be very useful in forensic investigations.
: A nice forward and reverse demonstration system, with an XML and AJAX interface.
+
  
; http://www.hashcrack.com/
+
== External Links ==
: Reverse hash lookup of MD5, SHA1, MySQL, NTLM, and Lanman hashes. Claims 75 million hashes of 13.2 million unique words.
+
  
; http://gdataonline.com/seekhash.php
+
* [http://en.wikipedia.org/wiki/Global_Positioning_System Wikipedia: GPS]
: MD5 reverse lookup with approximately 1 million entries.
+
  
; http://hash.insidepro.com/
 
: Hash database from InsidePro (MD5, NTLM).
 
  
; http://www.xmd5.cn/index_en.htm
+
* [www.digivence.com TomTom Forensic Analyser]
; http://www.xmd5.org/index_en.htm
+
: This site is another simple MD5 reverse lookup. It claims a database with "billions" of entries. Mostly for password cracking. (Who uses straight MD5s for passwords?)
+
 
+
Others:
+
; http://www.md5this.com/
+
; http://www.csthis.com/md5/
+
; http://md5.rednoize.com/
+

Revision as of 09:25, 17 October 2007

The Global Positioning System (GPS) is a satellite navigation system.

Forensics

There are several places where GPS information can found. It can be very useful for forensic investigations in certain situations. GPS devices have expanded their capabilites and features as the technology has improved. Some of the most popular GPS devices today are made by TomTom. Some of the other GPS manufacturors include Garmin and Magellan.

Picture of TomTom910

TomTom provides a wide range of devices for biking, hiking, and car navigation. Depending on the capabilities of the model, several different types of digital evidence can be located on these devices. For instance, the TomTom 910 is basically a 20GB external harddrive. This model can be docked with a personal computer via a USB cable or through the use of Bluetooth technology. The listed features include the ability to store pictures, play MP3 music files, and connect to certain cell phones via bluetooth technology. Data commonly found on cell phones could easily be found on the TomTom910. Via the Bluetooth, the TomTom can transfer the entire contact list from your phone. The GPS unit also records your call logs and SMS messages. Research needs to be done to see if the TomTom stores actual trips conducted with the unit. This would include routes, times, and travel speeds.

The TomTom unit connects to a computer via a USB base station. An examiner should be able to acquire the image of the harddrive through a USB write blocker. If not, it may be necessary to remove the hard drive from the unit.

Digital Camera Images with GPS Information

Some recent digital cameras have built-in GPS receivers (or external modules you can connect to the camera). This makes it possible for the camera to record where extactly a photo was taken. This positioning information (latitude, longitude) can be stored in the Exif metadata header of JPEG files. Tools such as jhead can display the GPS information in the Exif headers.

Cell Phones with GPS

Some recent cell phones (e.g. a Motorola EZX phone such as the Motorola A780) have a built-in GPS receiver and navigation software. This software might record the paths travelled (and the date/time), which can be very useful in forensic investigations.

External Links


  • [www.digivence.com TomTom Forensic Analyser]