SANS Digital Forensics and Incident Response Blog: Tag - md5

Law Is Not A Science: Admissibility of Computer Evidence and MD5 Hashes

Another day... another hashing discussion:

On the SANS GIAC Alumni list the other day, the question popped up from one of the individuals on the list:

"I'm assuming that this group has had the pleasure to consume the latest research focused on MD5 hash collisions. Discussions about hash collisions seems to carry the same energy as religion and politics. My question is regarding digital evidence and the use of MD5 hashes to establish digital evidence integrity. The use of hashes to ensure digital evidence integrity has legal precedence. However, as more research companies introduce concerns related to MD5 hashes, the courts will at some point, no longer consider this as a valid technology to ensure integrity.

You will be hacked, will you be prepared?

"Hope for the best, prepare for the worst." — English proverb

"Before anything else, preparation is the key to success." — Alexander Graham Bell

Forensic analysts and the organizations employing them can simplify and expedite the forensic analysis process with preparation. If you accept that system compromise is a matter of when not if, then prepare your systems in advance for forensic analysis.

Before moving systems into production, grab a copy of Jesse Kornblum's MD5Deep from and create MD5 checksums of all the files on the system. Have your desktop folks incorporate this into their image building process. If you're really diligent, update your hashes after applying patches.

Astute readers will say, "I can download known hashes from NIST's