This simple application calculates the expected CRC32 (ITU-T V.42),
MD5, SHA1 and SHA256 hash values for a specified length of all-zero data.
The calculation of these values is accelerated to provide a result in
approximately one second for data lengths of up to 2TB (two terabytes).
Reliable verification that large data area contains only all-zero
is a recurring non-trivial requirement within digital forensics, either
to validate that there is no information within an area to be examined,
or to validate that all data has been removed during wiping.
While verification by inspection is viable for small data lengths,
this is impracticable for large data areas which may be gigabytes or
event terabytes in size (such as 'cleared' hard disk or partition).
What is therefore needed is a simple, quick and forensically sound
method to perform this verification.
One common suggestion is to perform a CRC across the data span. Most
CRCs do not produce an all-zero result when calculated across all-zero
data (in fact they are generally designed to avoid this). For those
CRCs which do generate a zero result for all-zero data (such as CRC16
[kermit]) the result does not in itself validate that the entire data
length has been calculated upon, nor is the results secure from
data tampering (the data upon which the calculation is being
performed can be easily manipulated by a third party to contain
desired data while still creating the zero checksum).
Since most forensic tools already include the capability to
perform a hash (typically MD5, SHA1 or SHA256) across data areas of
interest, the suggested methodology is to calculate the hash for
the defined length of data using all-zero input values, and then
compare this to the hash of the data under consideration. If the hash
values match then the data area under consideration is confirmed as
being all-zero, and the calculation is confirmed as having processed
all bytes.
This tool has therefore been created to quickly compute the expected
MD5, SHA1 and SHA256 hash values for the defined length of all-zero
data, and uses algorithm acceleration to calculate the required
hashes in approximately one second for data sequences up to 2TB in
length. The CRC32 value for the all-zero data is also calculated and
provided since this is often used for a quick initial test, but as
the CRC32 result is easily manipulated only the MD5/SHA1/SHA256
values are recommended for forensic use.
This product includes cryptographic software written by
Eric Young (eay@cryptsoft.com).
|