Transcript Introduction to Computer Forensics

Introduction to Computer Forensics
1
Roadmap
• Incidents & Crimes and Responding to them
– Vulnerabilities, Threats, Incidents/Crimes
– Types of incidents/crime
• How computers & networks work (A Forensic
perspective)?
– Boot Sequence
– How data is stored and how can it be viewed?
2
Roadmap
• Forensic Investigations
– Objectives of investigations
– The process
– How to handle evidence
3
How computers work: A Forensic perspective?
• How computers work (A Forensic perspective)?
– Boot Sequence
– How data is stored and how can it be viewed?
4
How Computers Work?
• Computer Components
• What happens when you turn the computer
on?
• What is a File System?
• How is data stored on disks?
• How data is represented in computers and
how it can be looked at?
• How is data in windows 2000 encrypted?
5
Components of computers
• Central Processing Unit (CPU)
• Basic Input and Output System (BIOS)
• Memory
• Peripherals (disks, printers, scanners, etc)
6
Boot Sequence
• What happens when you turn the computer on?
– CPU reset: when turned on, CPU is reset and BIOS is
activated
– Power-On Self Test (POST) performed by BIOS:
•
•
•
•
Verify integrity of CPU and POST
Verify that all components functioning properly
Report if there is a problem (beeps)
Instruct CPU to start boot sequence
(System configuration & data/time information is stored in
CMOS when the computer if off. POST results
compared with CMOS to report problems)
7
Boot Sequence
– Disk boot: Loading of the operating system from disk
into memory. The bootstrap is in Read-Only-Memory.
• IMPORTANT POINTS
– CMOS chip contains important evidence on the
configuration. If the battery powering CMOS is down,
important evidence may be lost (Moussaoui case, 2003)
– If the computer is rebooted, the data on the hard disk
may be altered (for example the time stamps on files).
– Hence the importance of booting from a floppy and
accessing the CMOS setup during the boot up.
8
Boot Sequence: Important Points
– It is a good idea to obtain BIOS password from
user. Resetting CMOS password can change
system settings and hence alter evidence. For
example, you can change the boot sequence so
that the computer accesses drive A first.
– It is possible to overwrite BIOS passwords using
services such as www.nortek.on.ca. However, one
should use it as a last resort
– It may be necessary to physically remove the hard
disk to retrieve data
9
The File System
• File system is like a database that tells the
operating system where is what data on the
disks or other storage devices.
– FAT in MS-DOS is a flat table that provides links
to their location on disks. But Microsoft’s NTFS
is similar to unix file systems.
– In unix systems, it consists of a (inode) table
providing pointers from file identifiers to the
blocks where they are stored, and a directory.
10
The File System
– Mounting a file system is the process of making the
operating system aware of its existence. When mounted,
the operating system copies the file tables into kernel
memory
– The first sector in a hard disk contains the master boot
record which contains a partition table. The partition
table tells the operating system how the disk is divided
– Partitions can be created and viewed using fdisk.
Each partition contains the boot sector, primary and
secondary file allocation tables (FAT), the root directory,
and unallocated space for storing files.
– Formatting a partition (using format in windows or
mkfs in unix) “prepares” it for recognition by the
operating system as a file system.
11
The File System: Important Points
• Formatting a hard drive does not erase data,
and therefore the data can be recovered
• Low-level formatting does erase data.
However, special vendor software is needed
to low-level format hard disks
12
Disk Storage
• Data is stored on the disk over concentric circles
called tracks (heads). When the disks are stacked, the
set of tracks with identical radius collectively are
called a cylinder. The disk is also divided into wedgeshaped areas called sectors.
• Disk capacity is given by the product of number of
cylinders, tracks, and sectors. Each sector usually
stores 512 bytes.
13
Disk Storage
• Zoned Bit Recording (ZBR) is used by disk
manufacturers to ensure that all tracks are all
the same size. Otherwise the inner tracks will
hold less data than the outer tracks.
14
Disk Storage
• The tracks on disks may be one of
–
–
–
–
–
Boot track (containing partition and boot information)
Tracks containing files
Slack space (unused parts of blocks/clusters)
Unused partition (if the disk is partitioned)
Unallocated blocks (usually containing data that has been
“deleted”)
(When the program execution is complete, the allocated
memory reverts to the operating systems. Such
unallocated memory is not physically erased, just the
pointers to it is deleted)
15
Disk Storage: Important Points
• Hard drives are difficult to erase completely.
Traces of magnetism can remain. This is
often an advantage, since evidence may not
have been erased completely by the
perpetrator. Such evidence can be recovered
using one of the data recovery services (such
as www.ontrack.com, www.datarecovery.net,
www.actionfront.com, www.ibas.net )
• Files “deleted” may be partially recovered
since their fragments may still be in
unallocated blocks
16
Disk Storage: Important Points
• Traces of information can remain on storage media
such as disks even after deletion. This is called
remanence. With sophisticated laboratory equipment,
it is often possible to reconstruct the information.
Therefore, it is important to preserve evidence after
an incident.
• A perpetrator can hide data in the inter-partition
gaps (space between partitions that are specified
while partitioning the disk) and then use disk editing
utilities to edit the disk partition table to hide them.
17
Disk Storage: Important Points
• The perpetrator can hide data in NT Streams, and
such streams can contain executables. They are
NOT visible through windows explorer and can not
be seen through any GUI based editors (This week’s
assignment)
• The perpetrator can declare smaller than actual drive
size while partitioning and then save information at
the end of the drive.
• Many of the above can be uncovered by using disk
editors such as winhex, Hex Workshop, or Norton
Disk Editor if the disks are formatted for one of
the Microsoft operating systems.
18
Disk Storage: Important Points
• For linux systems, LDE (Linux Disk Editor
at lde.sourceforge.net) is a similar utility
available under Gnu license.
• Main Lesson: Do not depend on
directories or windows explorer. Get to
the physical data stored on the disk
drives. Do not look only at the partitioned
disk. Incriminating data may be lurking
elsewhere on the disk.
19
Data Representation
• While all data is represented ultimately in
binary form (ones and zeroes), use of editors
that provide hexadecimal or ascii format
display of data are valuable in forensics. They
allow you to see features that are otherwise
not visible.
• Popular tools for viewing such files include
Winhex (www.winhex.com), Hex Workshop
(www.hexworkshop.com), and Norton Disk
Edit (www.symantec.com)
20
Data Representation: Important point
• One should be careful in using
such editors, since data can be
destroyed inadvertently.
21
Computer Networks
• How are internet communications organised?
• How the internet protocols work?
• What are some of the vulnerabilities caused
by the internet protocols?
22
Networking
• The Internet Model:
– Application Layer (http, telnet, email client,…)
– Transport Layer: Responsible for ensuring data delivery. (Port-to-Port)
(Protocols: TCP and UDP) (Envelope name: segment)
– Network Layer:
Responsible for communicating between the host and
the network, and delivery of data between two nodes on network. (Machine-toMachine) (Protocol: IP) (Envelope name: datagram) (Equipment: Router)
– Data Link Layer: Responsible for transporting packets across each single
hop of the network (Node-to-Node) (Protocol: ethernet) (Envelope name:
Frame) (Equipment: Hub)
– Physical Layer: Physical media (Repeater-to-repeater) (Equipment:
Repeater)
23
Protocol Layering – Routing
(Source: http://www.albany.edu/~goel/classes/spring2002/MSI416/internet.ppt)
Host A
Host B
Application Layer
Application Layer
Message
Transport Layer
Transport Layer
Packet
Router
Network Layer
Network Layer
Datagram
Link Layer
Network Layer
Datagram
Link Layer
Frame
Physical Network
Link Layer
Frame
Physical Network
24
Protocols
(Source: http://www.albany.edu/~goel/classes/spring2002/MSI416/internet.ppt)
A protocol defines the format and the order of messages
exchanged between two of more communicating entities as well as
the actions taken on the transmission and/or receipt of a message
or other event.
TCP Connection Request
Hi
TCP Connection Response
Hi
Get http://www.ibm.com/index.html
Got the Time?
8:50
Index.html
25
Some Protocol Vulnerabilities
• TCP Connection Oriented Service (Establish connection
prior to data exchange, coupled with reliable data transfer,
flow control, congestion control etc.)
– Port scanning using netstat (unix/windows)
or N-map
(http://www.insecure.org/nmap/)
– Attacker can mask port usage using kernel
level Rootkits (which can lie about backdoor
listeners on the ports)
– Attacker can violate 3-way handshake, by
sending a RESET packet as soon as SYNACK packet is received
26
Some Protocol Vulnerabilities
• UDP Connectionless Service (No handshake prior to data
exchange, No acknowledgement of data received, no
flow/congestion control)
– Lack of a 3-way handshake
– Lack of control bits hinders control
– Lack of packet sequence numbers hinders
control
– Scanning UDP ports is also harder, since
there are no code bits (SYN, ACK, RESET).
False positives are common since the target
systems may not send reliable “port
unreachable” messages
27
Digital Evidence
• Sources of evidence on the internet?
– Evidence can reside on the computers, network
equipment (routers, for example), and on servers
– Various tools are available to extract evidence
from these sources
28
Evidence on workstations & Servers
• Locations (Disks)
– Disk partitions, inter-partition gaps (not all partitions may
have file systems. For example, swap space in unix
systems do not have file systems)
– Master Boot Record (contains partition table)
– Boot sector (has file system information)
– File Allocation Tables (FAT)
– Volume slack (space between end of file system and end
of the partition)
– File slack (space allocated for files but not used)
– RAM slack (in case of pre windows 95a, space between
end-of-file and end-of-sector)
29
Evidence on workstations, Servers
• Locations (continued)
– Unallocated space (space not yet allocated to files.
Also includes recently deleted files, some of
which might have been partially overwritten)
• Locations (Memory or RAM)
– Registers & Cache (usually not possible to
capture. Cache can be captured as part of system
memory image)
– RAM
– Swap space (on disk)
30
Evidence on Servers & Network Equipment
• Router systems logs
• Firewall logs of successful and unsuccessful
attempts
• Syslogs in /var/logs for unix systems
• wmtp logs (accessed with last command) in
unix systems
31
Evidence on Workstations, Servers,
Network: Important Points
• It is possible to hide partitions
• It is possible to hide data in files using streams
so they are not visible. You can know of their
existence only by analyzing the Master File
Table
• It is possible to hide data in inter-partition
gaps, volume slack
• It is possible to hide data at the end of the drive
by declaring drive size smaller than its actual
size.
32
Types of Evidence
• Physical evidence (computers, network
equipment, storage devices,…)
• Testimonial evidence
• Circumstantial evidence
______________________
• Admissible evidence (evidence that a court
accepts as legitimate)
• Hearsay evidence
33
Hearsay Evidence: Exception
• “A memorandum, report, record, or data compilation, in any form, of
acts, events, conditions, opinions, or diagnoses, made at or near the
time by, or from information transmitted by, a person with
knowledge, if kept in the course of a regularly conducted
business activity, and if it was the regular practice of that
business activity to make the memorandum, report, record or
data compilation, all as shown by the testimony of the custodian or
other qualified witness, or by certification that complies with Rule
902(11), Rule 902(12), or a statute permitting certification, unless the
source of information or the method or circumstances of preparation
indicate lack of trustworthiness.”
Source: Federal Rules of Evidence:http://www.law.cornell.edu/rules/fre/rules.htm
34
Characteristics of Evidence
• Authenticity (unaltered from the original)
• Relevance (relates crime, victim and perpetrator)
• Traceability (audit trail from the evidence
presented back to the original)
• Complete (presents total perspective on the crime.
Ideally, should include exculpatory evidence)*
• Reliable (one should not be able to doubt the
authenticity and traceability of the evidence
collection and chain of custody)
35
Characteristics of Evidence
• Believable (jury should be able to understand
the evidence)
____________________________________
36
Typical Sequence of Events in Incident
Response (RFC2196 Model)
RFC 2196 and Incident Management
(ftp://ftp.isi.edu/in-notes/rfc2196.txt)
0. Abnormal/unexpected behavior detected
1. Preparation
2. Detection
3. Containment
4. Eradication
5. Recovery
6. Follow-Up
37
Typical Sequence of Events in Incident
Response (RFC2196 Model)
1. Identification of the incident
1. Is it real? (False alarms)
2. Determine the scope of the incident
3. Assess damage
2. Notification of incident
1. Whom to notify,
2. what to document,
3. choice of language
38
Typical Sequence of Events in Incident
Response (RFC2196 Model)
3. Protection of evidence
1.
2.
3.
4.
Audit records
Time-tagged actions taken in the investigation
Details of all external conversations
Collecting evidence
4. Containment
1. Decision whether to shut down the system
2. How to shut down the system without losing or
corrupting the evidence
39
Typical Sequence of Events in Incident
Response (RFC2196 Model)
5. Eradication
1. Collect all evidence before this step
2. Removal of the vulnerability that caused the
incident
6. Recovery from clean backups
7. Follow up (Post mortem of the incident)
40
Evidence Collection Principles
• Maintain chain of custody of the evidence
• Acquire evidence from volatile as well as nonvolatile memory without altering or damaging
original evidence
• Maintain the authenticity and reliability of
evidence gathered
• No modification of data while analyzing it
41
Maintaining Chain of Custody
• Movement of evidence from place to place
must be documented
• Changing of hands in custody of the
evidence must be documented
• There must be no gaps in the custody of the
evidence
42
Volatile & Non-volatile memory
• Places where evidence may reside
– Memory
– Hard drives
• File systems
• Parts of disk with no file system loaded
• Memory:
– In MS-Windows 2000,
• setting up the Registry to enable capturing memory.dmp
manually
• Using Dumpchk.exe to generate memory dump
– In unix systems, using /etc/sysdump to generate a live
dump of /dev/mem, and using /etc/crash to analyze the
dump
43
Volatile & Non-volatile memory
• Hard Drives
– Imaging: Non-destructive Sector-by-Sector copy of the
drive that does not require the machine to be booted
– NIST requirements for imaging tools:
• Tool make Bit-stream copy or image of the disk or partition
if there are no access errors
• No altering of the disk by the tool
• Tool must access both IDE and SCSI
• Tool must verify integrity of the image file
• Tool must log I/O errors, and create a qualified bit-stream
duplicate identifying the areas of bit-stream in error
• Tool’s documentation must be correct
• Notify user if source disk is larger than destination disk
44
Volatile & Non-volatile memory
• Some tools:
– Linux dd (www.redhat.com)
– SnapBack DatArrest (www.snapback.com)
45
Authenticity & Reliability of evidence gathered
• Time Synchronization problems in networks
– If the times on various machines are not synchronized,
the evidence collected may not have strength
– Network Time Protocol (NTP) supported on Unix,
Linux, but not supported in Windows. However there are
third-party tools such as those found at
• www.oneguycoding.com/automachron
• NIST Internet Time Service
www.nist.gov/timefreq/service/its.htm
• www.pawprint.net/wt
46
Authenticity & Reliability of evidence
gathered
– Time Stamping
• Once the system is compromised, the perpetrator will
alter the logs to confuse the investigator
• Digital time stamping service can be used
– www.datum.com
– www.evertrust.com
• Use of Tripwire Monitoring & Reporting Software to
monitor changes
47
How to obtain admissible evidence?
• The Forensic Investigation Process
– Incident alert or accusation: violation of policy or
report of crime
– Assessment of worth/damage: To set priorities
– Incident/Crime scene protocols: Actions taken at
the scene
– Identification and seizure of evidence:
Recognition of evidence and its proper packaging
(protection)
– Preservation of evidence: Preserve the integrity
of the evidence obtained
48
The Forensic Investigation Process
– Recovery of evidence: recovery of hidden and
deleted information, recovery of evidence from
damaged equipment
– Harvesting: Obtaining data about data
– Data reduction: Eliminate/filter evidence
– Organization and search: Focus on arguments
– Analysis: Analysis of evidence to support
positions
– Reporting: Record of the investigation
– Persuasion and testimony: In the courts
(Source: Digital Evidence & Computer Crime, Eoghan Casey, Elsevier,
2004)
49
Objectives of the Investigative Process
• Acceptance: Process has wide acceptance
• Reliability: Methods used can be trusted to
support findings
• Repeatability: Process can be replicated
• Integrity: Trust that the evidence has not
been altered
• Cause & Effect: Logical relationship between
suspects, events, evidence
• Documentation: Recording of evidence
50
Computer Forensics
• How to handle evidence?
–
–
–
–
What to search/seize?
What kind of evidence to gather? How?
Documenting the evidence gathered
How to maintain the authenticity of evidence?
51
Incident Handling
• How to handle incidents?
–
–
–
–
Types of incidents based on severity
How to recognise them
Whether to report them
Actions required to maintain readiness to handle
incidents
– Actions to take at the scene of the incident
– Pull the plug? Turn off the machine? Live
forensics?
52
How to handle incidents?
• What are the types of incidents from the viewpoint
of response? How they are recognized?
• Whether to report incidents, and to whom to
report?
• What actions are required to maintain readiness to
handle incidents?
• What actions to take at the scene of the accidents?
• What actions to take to protect evidence?
• What evidence to collect and how to collect?
53
Types of incidents based on severity
• LOW
– Loss of passwords, unauthorised sharing of
passwords, successful/unsuccessful
scans/probes, hardware misuse,…
• MEDIUM
– Property destruction, illegal download of
music/files or unauthorised software,
unauthorised use of system for personal data,
acts by disgruntled employees, illegal hardware
access/tress pass, theft (minor)
54
Types of incidents based on severity
• HIGH
– Child pornography, pornography, personal theft,
property destruction, break-in, illegal software
download, malicious code ( viruses, worms,
trojan horses, malicious scripts,…), changes to
system hardware, software, or firmware, violation
of law.
Source: Incident Response: Computer Forensics
Toolkit, Douglas Schweitzer, (John Wiley,
2003)
55
Types of incidents & How to recognize them
• End user detected incidents
• Application detected incidents
• System detected incidents
56
End user detected incidents
•
•
•
•
•
•
Unavailability of web pages
Download of file containing virus/worm
Abnormal behavior of web site
Spam
Distribution of pornography
Unusual request of personal information
(ebay, Nigerian scams)
57
Application detected incidents
• Abnormal behavior of an application
• Inappropriate use of application (eg.,
unauthorised access)
• Unauthorised change of data (eg.,
defacement of web pages, alteration of
data,…)
58
System detected incidents
•
•
•
•
•
•
Detected by intrusion detection systems
Detected by analysis of firewall logs
Viruses/worms detected by servers
Unavailability of servers (DoS attacks)
Lack of remote availability of the system
Detection of abnormal changes by
monitoring software (eg., tripwire)
• Unauthorised access of servers,…
59
Whether to report incidents?
• Depends on the party: users, system
administrators
– Users: In their interest to report the incident,
usually to the “help desk”
– System administrators: Report to CSIRT
(Computer Security Incident Response Team) in
the Company.
60
Whether to report incidents?
• Report to Law Enforcement?
– Consult lawyers if an illegal act has occurred and
if there are reporting responsibilities
– Reporting to law enforcement changes the
character of the evidence handling process.
• Evidence can be subpoenaed by courts
• Perpetrators and their lawyers can get access to it in
the trial
• Evidence gathering process and all actions and
documentation of the investigations may also be
accessible to the other party during litigation.
61
What actions are required to maintain readiness
to handle incidents?
•
•
•
•
Acceptable use policies
Access control policies
Protocols for handling incidents
Education of all personnel on dealing with
incidents
• Incident handling toolkits (hardware and
software)
62
What actions are required to maintain
readiness to handle incidents?
• System backups
• Computer Security Incident Response Team
(CSIRT)
63
Incident handling toolkits
• Hardware:
– Large capacity IDE & SCSI Hard drives, CD-R,
DVR drives
– Large memory (1-2GB RAM)
– Hubs, CAT5 and other cables and connectors
– Legacy hardware (8088s, Amiga, …) specially for
law enforcement forensics
– Laptop forensic workstations
64
Incident handling toolkits
• Software
– Viewers (QVP http://www.avantstar.com/,
ThumbsPlus http://www.thumbsplus.de/)
– Erase/Unerase tools: Diskscrub/Norton utilities)
– CD-R, DVR utilities
– Text search utilities (dtsearch http://www.dtsearch.com/)
– Drive imaging utilities (Ghost, Snapback, Safeback,…)
– Forensic toolkits
• Unix/Linux: TCT The Coroners Toolkit/ForensiX
• Windows: Forensic Toolkit
65
Forensic Boot Floppies
• Disk editors (Winhex,…)
• Operating systems
• Forensic acquisition tools (DriveSpy, EnCase,
Safeback, SnapCopy,…)
• Write-blocking tools (FastBloc
http://www.guidancesoftware.com) to
protect evidence.
66
Policies
• Who can add or delete users?
• Who can access machines remotely
• Who has root level access to what resources
(SetUID and sudo privileges)
• Control over pirated software
• Who can use security related software
(network scanning/snorting, password
cracking, etc.)
• Policy on internet usage
67
System backups
• Systems backups help investigation by
providing benchmarks so that changes can be
studied
• Unix:
–
–
–
–
dump: dump selected parts of an object file
cpio: copy files in and out of cpio archives
tar: create tape archives and add or extract files
dd: Convert and copy a file
68
System backups
• Windows:
– Programs | Accessories | System Tools |
Backup
– NTBACKUP: Part of NT Resource kit
– Backup : From disk to disk
69
What actions to take at the scene of the
accidents?
• Pull the plug? Turnoff the machine?
Live forensics?
• What to search/seize?
• What kind of evidence to gather?
How to gather the evidence?
• How to maintain authenticity of the evidence?
70
Pull the plug? Turnoff the machine?
Live forensics?
• By pulling the plug you lose all volatile data.
In unix system, you may be able to recover
the data in swap space
• Perpetrator may have predicted the
investigation, and so altered system binaries
• You can not use the utilities on the live
system to investigate. They may have been
compromised by the perpetrator
71
What to search/seize?
• Public investigations (criminal, usually by law
enforcement agencies) vs. Corporate
investigations.
• Public investigations, with search warrants,
can seize all computers & peripherals, but
fourth amendment provides protection
• Corporate investigators may not have the
authority to seize computers, but may only
allow one to make bit-stream copies of drives
72
What kind of evidence to gather? How?
• Secure the scene with yellow tape barriers to prevent
bystanders from entering or interfering with
investigation.
• The computer is just one of a number of types of
evidence to be gathered
• DNA evidence from keyboard
• Fingerprint evidence (AFIS: Automated Fingerprint
Identification System)
• Fingerprints of all people who had access to the
crime scene
73
What kind of evidence to gather? How?
• No one to examine the computer before the bit
stream image of the hard drive has been captured
• Follow the standards outlined in DOJ Manual
• Keep journal on all significant activities, people
encountered.
• Good idea to carry a tape recorder, and a still
pictures camera
• Usually not a good idea to video tape the scene. The
defendant’s attorney may have access to it during
trial.
74
What kind of evidence to gather? How?
• If the computer is on,
– capture information on the processes, save data
on all current applications, photograph all
screens.
– After saving all active files (preferably on external
media, but if necessary to save on seized
computer, save with a new name to avoid
confusion), you can shut down the system.
• If the computer is off, you can acquire the
evidence on hard drives (you will have lost
the data in volatile memory)
75
What kind of evidence to gather?
How?
• Tagging and bagging evidence (including
software/hardware documentation)
• Precautions:
– Grounding wristbands, static electricity resistant
floor mats
– Mark location of collected evidence
– Carry response kit (laptop, flashlight, digital
camera, IDE 40-to-44 pin adapters, computer
toolkit, dictation recorder, evidence bags, labels,
tags, tape, marking pens, floppy disks, evidence
log forms,…)
76
Documenting the evidence gathered
• Maintain either single or multiple evidence
forms to document evidence gathered
• The forms should include: Case
number/name, Nature of the case, for each
item its description (model/serial numbers,
manufacturer), case investigator, investigator
recovering the evidence, location of original
evidence,
77
How to maintain authenticity of the evidence?
• Maintaining authenticity provides assurance
to the jury that the evidence is reliable and
has not been tampered with.
• Authenticity is provided by cryptographic
checksums (message digests or fingerprints).
• MD5 and SHA are two common hash
algorithms used. They provide a fingerprint
of the evidence gathered.
78
How to maintain authenticity of the evidence?
• Executable for MD5 algorithm can be downloaded
from http://www.etree.org/software.html for
various operating systems.
– Example: In unix systems, if you want the MD5 digest of
the files /etc/passwd and /etc/services files, you would
• Cat /etc/passwd and /etc/services >file
• Md5sum file > file.md5
• Such algorithms are subject to cryptographic attack.
Therefore it is important to provide some
redundancy.
79
How to maintain authenticity of the evidence?
• Some software such as Tripwire compute
hash values using multiple algorithms so that
even if one algorithm becomes susceptible to
attack, authenticity can be proven using other
algorithms
• Whenever a copy of the evidence is to be
produced, the authenticity of the copy can be
shown by re-computing the hash value and
comparing with the original
80