Hashing integrity in mobile phone forensics
Abstract
Hashing is the standard method used by the forensic community to both verify the integrity of recovered evidence and to compare two files to determine if they are duplicates. Forensic software designed to analyze mobile phones also implements these methods, but there is speculation regarding how effective their implementations are. Currently, the forensic software communicates with the phone in a client/server method and therefore the onus is upon the operating system of the phone to retrieve and return the evidence requested. This presents a problem when an examiner is trying to follow the rules of evidence, as laid out by the ACPO, because they have no assurance that the process did not alter the evidence. It is already known that the operating system manipulates the contents of the phone’s memory. However it is unknown whether or not this affects the hash values of individual files recovered from a mobile phone. The purpose of this research was to discover whether the hash values of individual files change when certain variables of the forensic process change. Some of these variables include the make/model of the phone, the software application, and the transfer method. A secondary objective was to discover whether or not the implementation of the image affects the final hash value. This research found that the hash value remained consistent throughout most of the tests. However, there were certain instances where the hash value did change when certain functions on the mobile phone were employed.
Degree
M.S.
Advisors
Mislan, Purdue University.
Subject Area
Information science|Computer science
Off-Campus Purdue Users:
To access this dissertation, please log in to our
proxy server.