MICHAEL ZINN | E-Discovery
When Electronically Stored Information Cannot be Self-Authenticated
E-discovery is all about the collection of electronically stored information (ESI) as part of the discovery process.  e vol- ume of ESI that exists in today’s world is enormous. Because of the volume of ESI and how easily ESI can be modi ed it is important that there be a way to copy ESI in a way that we can prove the original ESI and the copy of the ESI are unchanged.  is is where forensic imaging becomes critical. A quali ed person can create an image of ESI – that is a forensically sound copy of the ESI that o en is self-au-
thenticating.
One of the most common ways to
certify that a copy of ESI is authenti- cated with the original ESI is by using a hash algorithm. A hash algorithm is a mathematical process that results in a hash value that represents a  le.
Federal Rules of Evidence, Article IX, Rule 902 (FRE 902), Committee Notes on Rules – 2017 Amendment states:
 is amendment allows self- authentication by a certi - cation of a quali ed person that she checked the hash value of the pro ered item and that it was identical to the original.  e rule is  ex- ible enough to allow certi-  cations through processes other than comparison of hash value, including by other reliable means of iden- ti cation provided by future technology.
Based on that note, the process of authenticating ESI should be direct.
You hash the two  les and compare the values. If they are the same, then they are the same and if you are quali-  ed to hash a  le and compare hash values then the ESI is self-authenticat- ing. Not quite.
Not all hash algorithms produce a hash value that is as unique as the hash values other hash algorithms produce. According to the National Institute of Standards and Technolo- gy (NIST), the hash algorithms MD5 and SHA-1 were broken in 2004 and 2005, respectively. While research performed by Xiayung Wang in 2005, showed it was possible to create two di erent  les with the same SHA-1 hash, it was not until 2017, that re- searchers successfully modi ed a  le and were able to produce the same hash value for the original  le and the modi ed  le (see: http://shattered.io/ static/shattered.pdf ).
While digital forensics experts should know MD5 and SHA-1 should not be used to generate hash values FRE 902 does not identify hash algo- rithms that should be used during e- discovery or digital forensics.
 e NIST Policy on Hash Functions identi es the hash functions federal agencies may use (visit: https://csrc. nist.gov/Projects/Hash-Functions/ NIST-Policy-on-Hash-Functions).
 is is one reason why it is impor- tant to have a quali ed person who knows more than just the basics of e- discovery and not someone who just knows how to use the *nix command md5sum, authenticate the ESI.
As cloud computing becomes more available, it is becoming easier and less expensive to increase the process-
AttorneyAtLawMagazine.com
ing power of systems. Referring to the 2017 report, “ e  rst collision for full SHA-1,” the researchers’ ability to modify a  le without changing the SHA-1 hash, it “took the equivalent processing power as 6,500 years of single-CPU computations.” What his- tory shows us is that the development of technology makes it possible to do things like modifying a  le without the hash value of the  le changing.
It is important to know what hash algorithms are broken and to cross validate your forensics tools. Many people who work in information technology related  elds know how to generate a hash value, but that doesn’t make them a digital forensics expert. It might not make them quali ed enough to be a quali ed person.
In the case of conducting a foren- sic acquisition of a mobile device, you will want to work with a digital foren- sics expert. O en obtaining a forensic image of a phone o en involves a pro- cess known as rooting. We won’t go into the details of rooting a phone in this article but if you need to forensi- cally image deleted information on a smartphone you will probably need to root the smartphone and will without any doubt want to work with a digital forensics expert.
Someone who can certify the hash values are the same may not be good enough. In all cas-
es documentation
and maintaining a proper chain of custody is imper- ative.
Michael Zinn is a recognized digital forensics and cybersecurity expert who holds a number of industry certi ca- tions including certi ed computer examiner (International Society of Forensic Computer Examiners), EC-Council computer hacking forensic investigator, AccessData certi ed examiner, and AccessData mobile examiner. He is an experienced computer security incident response team leader and is available for cybersecurity consultations and cybersecurity training.
17