Hashing images and other files

Thank you so what tool can be used to get the hash for the image

This is a tool which lets you computer md5 and sha1-hashes: http://www.nirsoft.net/utils/hash_my_files.html
On Linux-machines there is usually md5sum: http://en.wikipedia.org/wiki/Md5sum

Thanks, are there any scenarios where say an image found on a users machine and an image found on a public website for example would have different hash values if it is the same picture?

If the binary file is identical the hash is the same. If only one pixel of the image has been changed (which you probably won't notice using your eyes) the hash will be different.

Is that the common way (except manual visual) forensics guys use to find a file on another device,I.e hash it, hash the target machine files and check for a match, or is that a bit of an older technique replaced by newer techniques?

I'm not sure what forensics will do, but it definitely is an easy way to figure out if certain files can be found on a computer. If someone wants to hide these he rather encrypts the files instead of changing them in order to change the hash, I guess.

Was gonna ask about adding them to compressed zip files I assume all you'd get then would be the hash for the zip file not a hash per file in the zip archive

If the zip file is encrypted you don't have a chance to get the hashes of the files contained within. If it isn't encrypted you can hash each file in the zip file separately.

I assume you can't google a hash value and see where the image has a web presence... You'd have to have the server and hash each file on the server then do a match

I think you cannot google a hash value as google cashes website-contents and hashes usually are not part of websites.

There's on site tinyeye.com I wonder how that works....

Thanks so much for the great answers. May have to tap into to knowledge further. Sometimes we find a suspect image like a jpg on a departmental file share and we always want to find "who put it there". As far as I know images dont have the same MAC information as you get with word docs, although I am not even sure if a word doc has a "created by" or "saved by" type log to narrow down who put the file there.

ChopOMatic,

I'd also (being nosey) be interested what are the more common types of investigations you get asked to review/prove/disprove etc? How long does a typical case take you guys, are you under urgent deadlines or do you typically get a couple of weeks to ensure you have located everything and not missed anything?

In order to figure out "who put it there" you may want to check the file-ownership of the file. If users don't have administrative rights on the fileserver and are logged on using domain-credentials the file-ownership should help you figuring out the source. In addition to this you can activate auditing in order to figure out any filesystem changes.

~75% of my casework is a scenario similar to this:  John Doe leaves the employ of Acme Widgets and goes to work for Good Widgets down the street. Acme Widgets starts losing business to Good Widgets and says, "Hey, ole John Doe stole our proprietary data and now he's using it for our competitor!" A lawsuit gets filed and an attorney for one side or the other calls me, explains the allegations, and asks me to figure out exactly what happened with regard to the data of interest. After a bit of wrangling in court, I'm granted access to the various computers and devices involved. I create forensic images of those devices and analyze those images in order to reconstruct what happened. I generate a detailed report of my findings. If the case makes it to trial, I testify to those findings.

Urgent, compressed timeframes are very common. I rarely hear, "No hurry, take your time!" ;-)

As for how long, there's no good answer to that. Sometimes the central question is whether one particular file is on one particular device. Those are pretty quick. Sometimes it's much broader, looking for data and clues across dozens of computers/thumbdrives/smartphones/you name it. Cases can literally go for days or years.

Interesting stuff/

Last questions

@abbright:

>>you may want to check the file-ownership of the file

How do you check this for say a .doc or a .jpg or a .mpg

@ChopOMatic::

I watched a couple of youtube vids on forensics last night. And one technique they say use is keyword searches. However I wondered, do files on a PC sometimes have key words in a less than plain text kinda format. So you could poetntially miss key files containing key words as they werent in a plain text format?

Also, aside from hash analysis and keyword search analysis which I assume you run on every/most cases, are there other types of "analysis" to find the files you are after? Can you details them so I can read up further as this stuff interests me...

If you right-click on the file, select properties => security => advanced => owner you see the current owner of the file. Chances are that this is the one who uploaded the file, though it is not guaranteed as users with full access to a server can change the ownership of a file.

In order to find files you are after you can search for filenames, filename-suffixes, sizes, change-dates, or any other property a file has. For example you could search for all jpg-files of a certain size which have been changed in a certain period of time and which are stored in a certain folder. All this can be done with standard with windows search. If you want to go into the properties of the pictures themselves I guess you need specialized tools like the ones ChopOMatic talked about.

Thanks abbright, much appreciated.

Yes, keyword searches are an uber-common element of what we do. And yes, keywords can indeed turn up in formats other than plaintext and commonly do. (A prime example of a common non-plaintext format is Unicode and there are certainly others. If you want to dig into the guts of this stuff, do a little research on codepages, Unicode, etc. That's only scratching the skin of the surface, but it's a start.) The short answer is that the software packages we use are designed specifically to find the keywords in their plaintext and non-plaintext flavors. Another important feature of these apps is that they have the ability to search EVERYWHERE for keyword occurrences, not just in active files as would be the case in a typical Windows search. We routinely find keyword occurrences in unallocated space, file slack, temp files, dump files, etc., all locations that wouldn't be examined in a "typical" user-level search. Make sense?

As for other elements of forensic analysis, the list would be long, but some common ones are:  Registry analysis to uncover certain user histories, removable device analysis to track the use of thumbdrives and other removable media, and carving files from unallocated space.

If you want to do some more digging, check out the site Forensic Focus. I'm pretty sure anyone can join there and you'll find a wealth of information and a host of super-helpful people there who love to talk about this stuff. :-)