In digital forensics, data stored in a hard disk usually contains valuable evidence. Preserving the integrity of the data in the hard disk is a critical issue. A single hash value for the whole hard disk is not appropriate as the investigation may take a long time and latent sector errors (LSEs) (bad sectors due to media imperfection, for example) which cause a sector suddenly unreadable will make the hash value inconsistent. On the other hand, using a hash per sector may need to store a lot of hash values. Previous research has been conducted to use fewer hash values, but can resist some of LSEs to decrease the number of unverifiable sectors even if there are LSEs. This integrity problem is more complicated in the presence of Legal Professional Privileged (LPP) data inside a seized hard disk in digital forensic as the hard disk has to be cloned once seized and the original hard disk will be sealed after cloning. Hash values need to be computed during this cloning process. However, the cloned copy will be returned to the suspect for the deletion of LPP data before the investigator can work on the sanitized copy. Thus, the integrity of unmodified sectors has to be verified using the hash values computed based on the original hard disk. This paper found that existing schemes are not good enough to solve the integrity verification problem in the presence of both LSEs and deletion of LPP-protected data. We then propose the idea of a Dual Cube hashing scheme. The experiments show the proposed scheme performs better than the previous schemes and fits easily into the digital forensic procedure. Besides, an improved Dual Cube scheme with a new sector distribution algorithm is also proposed to further decrease the number of affected sectors by about 2 order of magnitude when the number of deleted sectors is increased to about 1 million.

• 出版日期2012-7
• 单位暨南大学