Replies: 3 comments 4 replies
-
Database records: I agree with you, no hashes. |
Beta Was this translation helpful? Give feedback.
-
For database records, I also agree with you, no hashes, but for Reports and previews I think that the current behavior may be useful, for example when an user export the HTML file and want to know if it was intact it can compute its hash and compare with the hash in IPED report. |
Beta Was this translation helpful? Give feedback.
-
Calculate for everything. |
Beta Was this translation helpful? Give feedback.
-
I would like to start this important discussion, in my opinion.
Currently, IPED computes hashes for regular files (allocated, deleted, carved, embedded in containers) and for some data blocks, like unallocated clusters and file fragments.
There are other 2 kinds of information the tool produces, we could call decoded data, usually produced by parsers when decoding some file (or a set of them).
Database records, examples:
Summary reports or previews, examples:
The question is: Should the tool compute hashes for all information above or for some of them? Currently IPED does not compute hashes for database records. How should a hash be computed for an IM message? Concatenating sent date, from, to and text body? Changing the order of those fields would change the hash. That information can result from decoding different tables, making joins and even collecting info from different files. Today the tool doesn't compute hashes for that kind of info, but some users think the tool should, to filter duplicated entries by hash or to verify if the integrity of the decoded information is preserved through the chain of custody. But I don't know if it makes sense to compute hashes for database records, I think most tools don't do this.
About parsing reports or html previews created by the tool (from registry, IM conversations, PST emails) today IPED does compute hashes. But this kind of artifact isn't a regular file, it is a report produced by the tool with parsing results. Other tools would create different reports, with different hashes. Even different IPED versions could create different reports from the same information source, resulting in different hashes, just changing the report formatting style for example. I'm not sure if the tool should continue to hash those reports...
Opinions from users and developers are very welcome!
Beta Was this translation helpful? Give feedback.
All reactions