MAG24 Hashing and Matching for Triage with VICS and CAID in Magnet OUTRIDER

From its inception, Magnet OUTRIDER was designed to be a lightweight triage tool focused on ICAC investigations, emphasizing identifying files and applications of interest – across a broad set of evidence sources – and providing actionable results quickly.

As devices have grown in storage capacity, searching the hashes of all available media can be time-consuming. Our new patent pending MAG24 hashing and matching format provides a faster option for triaging media using VICS and CAID hash lists.

Triaging With Magnet OUTRIDER

In a triage use case, Magnet OUTRIDER is often run against a suspect’s phone, computer, or external storage device while investigators conduct on-scene interviews with persons of interest in the investigation. This often means results are needed quickly to leverage during those initial interviews while determining whether devices found are relevant to the overall investigation.

One limitation of any triage tool is that when you scan a device – such as a computer found on scene during a search – you are strictly at the mercy of the hardware in that machine and the performance it provides. Often, you are dealing with older hardware, devices with nearly full storage (often still spinning disk), and any number of running programs and services that may consume the already limited resources on that particular system. This can lead to lower overall performance and increased time to evidence, particularly when trying to hash large media files like videos.

Reducing Time to Evidence with MAG24

Magnet OUTRIDER now leverages a different approach to hashing called MAG24, which uses the long-standing MD5 hashing algorithm and a new twist. This feature was developed in an effort to locate known files of interest to CSAM investigations quickly, and the initial results are dramatic. First, MAG24 is not intended to replace traditional hashing algorithms such as MD5 or SHA1; the features related to those still exist in Magnet OUTRIDER. What MAG24 will do is provide significant improvements to device scans by eliminating the need to hash entire files and quickly eliminating those which can be ignored. With another filtering approach to exclude potentially non-relevant files, Magnet OUTRIDER is faster than ever at performing device scans and locating items of interest to your investigations with Magnet’s patent-pending MAG24 hashing algorithm.

Some background

We are all familiar with how hashing algorithms work and how they are used in various aspects of digital investigations. We know that if the calculated hash (say a SHA1) of two different files is the same, then those files are identical – regardless of their file name or extension. We may have all worked investigations where a user renamed illicit files or changed their extension to conceal them.

We also know that for two different files to be binary copies of one another, their file size will be identical. After all, the very nature of cryptographic hashing means that simply changing a single byte will have a cascading effect on the calculated hash value of that data. So, in addition to calculating the MD5 hash of known files of interest to be stored in the hash sets you’ll be leveraging for your scans, Magnet OUTRIDER also stores the corresponding file size alongside the hash. With this additional data point, files on your scanned devices that do not match one of the file size values associated with a supplied file of interest from your hash sets can be ignored. It is significantly faster to perform a file size comparison than calculating a file’s hash, particularly for larger files.

If the file size matches one of the sizes for an associated MD5 in the set, then a hash comparison is made. This means that Magnet OUTRIDER is looking for matches to known files of interest you provide via their file size during a scan. Remember the file size is stored alongside the MD5 hash value. When finding a match to files of interest based solely on data size, Magnet OUTRIDER will then search for that data in the files of interest hash set. While this may sound like extra steps,the benefits of speed and an overall reduction in scan times are significant. You are no longer waiting for Magnet OUTRIDER to calculate an MD5 hash of every file within your targeted scan locations; only those which pass through the first matching function.

 Magnet OUTRIDER is designed for high-speed triage of digital evidence, including Windows and macOS computers, along with newer Android and iOS smartphones. The included features are well suited for identification of illicit material that is often the subject of child sexual exploitation investigations. 

Try Magnet OUTRIDER Today

Start your free trial today and put OUTRIDER to the test in the field and in the lab. Or, request a quote and pricing information for Magnet OUTRIDER today by contacting us at [email protected].

The post MAG24 Hashing and Matching for Triage with VICS and CAID in Magnet OUTRIDER appeared first on Magnet Forensics.

Share:

More Posts

Enterprise forensics: Why scalable solutions matter

Organizations in the private sector face significant complexity when performing enterprise forensics investigations, whether it’s in support of incident response, internal investigation, or litigation/eDiscovery. The volume of data, the sheer

FCC Grants SpaceX SCS Authority

On November 26, 2024, the Space Bureau released an Order and Authorization granting in part and deferring in part, with conditions, several applications from Space Exploration Holdings, LLC (“SpaceX”), including