|
part of the document, we will cover all the methods used to verify information
and how to counter the forensic research eliminating any trace of your actions
from the device you used.
7.1 Data Integrity
No matter how safe a connection is deemed, it cannot necessarily guarantee
the integrity of the data passing through the network. With data integrity, we
mean the original state of all information that can be sent and received: if, for
example, we download a program from a developer and we need to be 100%
sure that what we received is the same file or files originally distributed, we need
to verify the program integrity.
Imagine you wish to download the .ISO of the latest version of Ubuntu, the
popular GNU/Linux home distro: if it gets manipulated within the hosting server
(i.e. if an intruder manages to violate Ubuntu servers and alter images using a
backdoor) or, maybe, the download gets interrupted and you unknowingly use it
for your daily operations, you may encounter several usage issues. Let’s see a
very topical case-history about it:
On 20th February, 2016, the popular Linux Mint portal, currently the most
appreciated Linux distro, as well as the latest release (Cinnamon 17.3) were
violated. The attack on the disk image allowed the criminal known as Peace, to
have the complete control over all users who downloaded and installed the .ISO
during the previous 24 hours, through an IRC trojan called Tsunami.
If all users had run the data integrity verification (in this case over the .ISO),
probably nobody would have been infected.
7.1.1 Checksum & Hash
In IT, Checksum is the sequence of bits resulting from a calculation over an
information content. Such calculation is generated from a hash, a mathematical
function that returns an alphanumeric value (namely, the checksum) in a non-
reversible way: simply said, passing any information to a hash produces a
checksum, (the result). This way, anybody can generate a checksum starting
from a piece of information, but not vice-versa.
In addition, to be defined as good, a hash must be collision-resistant, e.g. it
must produce unique checksums that cannot be applied to two different types of
information. Due to their specific nature, hashes are commonly used in IT,
especially in the scope of password memorization: when you enter a password
on a portal, such password – as per security practices – is converted in the
related checksum using a specific hash, in order to compare the user input with
the password checksum in the database, avoiding any risk from storing it.
Actually, passwords are “salted” first, but that’s another story.
7.1.1.1 Hash Types
In the IT world, you can commonly find three types of hash:
-
MD5
-
SHA-1
-
SHA-2 (256 or 512-bit)
Each of them has its own characteristics, with pros and cons: for the
purposes of this course, we’ll only state that the safest ones to date are SHA-256
and SHA-512.
7.1.1.2 Calculating a Checksum
Often, in the macOS, Linux and BSD environments, you can find a very
convenient command line tool, shasum. Use such tool as follows:
$ shasum [filename]
Just like the vast majority of UNIX programs, you can use different
parameters to get the best out of it. If you wish to generate a checksum with 512-
bit SHA, you must find the correct parameter in the documentation, by using this
command:
$ shasum -h
or using the man command:
$ man shasum
Here you’ll see that the -a parameter manages the algorithm type of “depth”.
Then, use the command:
$ shasum -a 512 [filename]
to generate the 512-bit hash. As the result, you’ll get the generated
checksum; feel free to try with your own files. Here’s a sample output from a
random file:
c568ac4df6aef33d887b0326c46d340196fe722f34d696bf7ab7ac9bd2cad933bdc9aa581612d678bead2f3550438c9b7280cd99c2c7e469c76d9ab9d889a983
stefano9lli.txt
Let’s say you want to verify the latest Debian version (currently, 8.6.0 in
standard version) you downloaded to your computer, in order to verify its
integrity. Firstly, generate the local checksum:
$ shasum -a 512 debian-live-8.6.0-amd64-standard.iso
Now, compare it with the one provided by the developers on the official
mirror
[82]
. In this case, choose SHA512SUM, then find the portion of interest in
the document:
e9506a3746e351203757599a8ce01ba4a84260a633177ee719fa6754b70151f82d03a2843c4aa58e17aa10c35e61369077ea3207b956183259be8444c465e4eb
debian-live-8.6.0-amd64-standard.iso
If the two checksums are identical, you downloaded what the devs deployed.
Windows users can perform this operation with an integrated software. The
command is certUtil:
$ certUtil -hashfile [filepath] [algorithm]
then, in case of a random file on your Desktop through the SHA-512
algorithm, the result will be:
$ certUtil -hashfile C:\Users\stefano9lli\Desktop\file.txt SHA512
Worthy of note is Hashtab
[83]
(Figure 24), a freemium program that installs
the checksum feature directly into Windows Explorer, integrating it in the
“Properties” menu, when you right-click a file.
Do'stlaringiz bilan baham: |
