Implement Container Level Hash #37
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… to hashbasedlogical
Updated to PyYaml 5.4 to reflect latest packaged pyaff4 version on pip
…GB it would error when packing struct
…erwriting Allow creation of containers based on ZIP_STORED
…to 0xFFFFFFFF to force reading from extra field, extra field size is now written correctly (was always 0 before)
…nd when hasing with linearhasher2
Updated PyYaml to avoid build issues on cython 3.0 yaml/pyyaml#601
Removed version pinning for pyyaml
Addedd pybindgen as required for successful build of fastchunking
require latest intervaltree to avoid issues with mutableset in python >=3.10
Use source version of aff4-snappy to be able to build on ARM64
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello @scudette,
Thanks for the feedback on the other PR, the approach to container hash with armoring is interesting, however it is a big change in the structure, meaning that current tools supporting AFF4(-L) would seem to be incompatible with that.
I would propose the below change as a possible alternative, which would keep full compatibility with previous archives.
By chaining hashes of segments, and hashes of the metadata this way it is possible to fully verify integrity of the container.
Protection against tampering is improved as with this system it would be easy for the investigator to reference in their CoC/lab notebook a single hash returned at the end of the creation of the container. (Whereas now if acquiring a folder of 100 files an investigator would need to either write down all 100 hashes or manually hash the AFF4-L container afterwards)
I've provided a simple PoC adjustment to the aff4.py script.
The only part where I'm not fully sure is that it seems there can be an instance where the information.turtle is split over multiple files? (cf. https://github.com/fservida/pyaff4/blob/faa1361b48616bad8c63c0c13cba1e4e080dee77/pyaff4/data_store.py#L365) and I'm not sure how that is handled as I don't have a reference to test nor can I find more information in the PDFs of the standard as they seem to always refer to a single turtle file.
(Obviously if the container is modified by appending files, the hash shall be invalidated, but I'm thinking to avoid compatibility issues).
Let me know what you think