Hi,
i've written previously, tips about the missing parts in the report.
I would like to make a summary of what should be added to the validity of forensic evidence purposes.
1) You should put all details of the file: HASH, Creation date, Modification date, last Accessed date, file/folder position in memory unit (path), eventually a link for the metafile report (if: jpg, doc, etc...)
2) One option to add "Thumbnail list (with link to the file/evidence)" for graphics file (jpg, bmp, png, etc...)
3) It's important that the hash of the files is not only SHA-1, but:
- or SHA-1 + MD5 (contextually)
- or SHA-256
- or latest version (es. SHA-512)
SHA-1 is being retired for most government uses; the U.S. National Institute of Standards and Technology (NIST) says, "Federal agencies should stop using SHA-1 for...applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010".
Best regards
i've written previously, tips about the missing parts in the report.
I would like to make a summary of what should be added to the validity of forensic evidence purposes.
1) You should put all details of the file: HASH, Creation date, Modification date, last Accessed date, file/folder position in memory unit (path), eventually a link for the metafile report (if: jpg, doc, etc...)
2) One option to add "Thumbnail list (with link to the file/evidence)" for graphics file (jpg, bmp, png, etc...)
3) It's important that the hash of the files is not only SHA-1, but:
- or SHA-1 + MD5 (contextually)
- or SHA-256
- or latest version (es. SHA-512)
SHA-1 is being retired for most government uses; the U.S. National Institute of Standards and Technology (NIST) says, "Federal agencies should stop using SHA-1 for...applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010".
Best regards
Comment