Unit 1.ppt

Full Transcript

Storage Formats
for Digital
Evidence
Understanding Storage Formats 2

for Digital Evidence
 Two types of data acquisition
 Static acquisition
 Copying a hard drive from a powered-off system
 Used to be the standard
 Does not alter the data, so it's repeatable
 Live acquisition
 Copying data from a running computer
 Now the preferred type, because of hard disk encryption
 Cannot be repeated exactly—alters the data
 Also, collecting RAM data is becoming more important
 But RAM data has no timestamp, which makes it much
harder to use
Understanding Storage Formats 3

for Digital Evidence
 Terms used for a file containing evidence
data
 Bit-stream copy
 Bit-stream image
 Image

 Mirror

 Sector copy
 They all mean the same thing
Understanding Storage Formats 4

for Digital Evidence
 Three formats
 Raw format
 Proprietary formats
 Advanced Forensics Format (AFF)
Raw Format 5

 This
is what the Linux dd command
makes
 Bit-by-bit copy of the drive to a file
 Advantages
 Fast data transfers
 Can ignore minor data read errors on source
drive
 Most computer forensics tools can read raw
format
Raw Format 6

 Disadvantages
 Requires as much storage as original disk or
data
 Tools might not collect marginal (bad) sectors
 Low threshold of retry reads on weak media spots
 Commercial tools use more retries than free tools
 Validation check must be stored in a separate
file
 Message Digest 5 ( MD5)
 Secure Hash Algorithm ( SHA-1 or newer)
 Cyclic Redundancy Check ( CRC-32)
Proprietary Formats 7

 Features offered
 Option to compress or not compress image files
 Can split an image into smaller segmented files
 Such as to CDs or DVDs
 With data integrity checks in each segment
 Can integrate metadata into the image file
 Hash data
 Date & time of acquisition
 Investigator name, case name, comments, etc.
Proprietary Formats 8

 Disadvantages
 Inability to share an image between different tools
 File size limitation for each segmented volume
 Typical segmented file size is 650 MB or 2 GB
 Expert Witness format is the unofficial standard
 Usedby EnCase, FTK, X-Ways Forensics, and
SMART
 Can produce compressed or uncompressed files
 File extensions.E01,.E02,.E03, …
Advanced Forensics Format 9

 Developed by Dr. Simson L. Garfinkel of
Basis Technology Corporation
 Design goals
 Provide compressed or uncompressed image files
 No size restriction for disk-to-image files
 Provide space in the image file or segmented files
for metadata
 Simple design with extensibility
 Open source for multiple platforms and OSs
Advanced Forensics Format 10

(continued)
 Design goals (continued)
 Internal consistency checks for self-authentication
 File
extensions include.afd for segmented
image files and.afm for AFF metadata
 AFF is open source
Determining the
Best Acquisition
Method
Determining the Best Acquisition 12

Method
 Types of acquisitions
 Static acquisitions and live acquisitions
 Four methods
 Bit-stream disk-to-image file
 Bit-stream disk-to-disk
 Logical

 Sparse
Bit-stream disk-to-image file 13

 Most common method
 Can make more than one copy
 Copies are bit-for-bit replications of the
original drive
 Tools:
ProDiscover, EnCase, FTK, SMART,
Sleuth Kit, X-Ways, iLook
Bit-stream disk-to-disk 14

 Used when disk-to-image copy is not possible
 Because of hardware or software errors or
incompatibilities
 This problem is more common when acquiring
older drives
 Adjusts target disk’s geometry (cylinder, head,
and track configuration) to match the
suspect's drive
 Tools: EnCase, SafeBack (MS-DOS), Snap Copy
Logical Acquisition and Sparse 15

Acquisition
 When your time is limited, and evidence disk
is large
 Logical acquisition captures only specific files
of interest to the case
 Such as Outlook.pst or.ost files
 Sparse acquisition collects only some of the
data
I am finding contradictory claims about this—wait
until we have a real example for clarity
Compressing Disk Images 16

 Lossless
compression might compress a
disk image by 50% or more
 Butfiles that are already compressed, like
ZIP files, won’t compress much more
 Error
in textbook: JPEGs use lossy compression
and degrade image quality (p. 104)
 Use MD5 or SHA-1 hash to verify the image
Returning Evidence Drives 17

 Incivil litigation, a discovery order may
require you to return the original disk after
imaging it
 Ifyou cannot retain the disk, make sure you
make the correct type of copy (logical or
bitstream)
 Ask your client attorney or your supervisor what is
required—you usually only have one chance
Contingency
Planning for
Image
Acquisitions
Contingency Planning for Image 19

Acquisitions
 Create a duplicate copy of your evidence image file
 Make at least two images of digital evidence
 Use different tools or techniques
 Copy host protected area of a disk drive as well
 Consider using a hardware acquisition tool that can
access the drive at the BIOS level (link Ch 4c)
 Be prepared to deal with encrypted drives
 Whole disk encryption feature in Windows Vista
Ultimate and Enterprise editions
Encrypted Hard Drives 20

 Windows BitLocker
 TrueCrypt
 If the machine is on, a live acquisition will capture the
decrypted hard drive
 Otherwise, you will need the key or passphrase
 The suspect may provide it
 There are some exotic attacks
 Cold Boot (link Ch 4e)
 Passware (Ch 4f)
 Electron microscope (Ch 4g)
Using Acquisition Tools 21

 Acquisition tools for Windows
 Advantages
 Makeacquiring evidence from a suspect drive more
convenient
 Especially when used with hot-swappable devices
 Disadvantages
 Mustprotect acquired data with a well-tested write-
blocking hardware device
 Tools can’t acquire data from a disk’s host protected
area
Windows Write-Protection with 22

USB Devices
 USB write-protection feature
 Blocks any writing to USB devices
 Target drive needs to be connected to an
internal PATA (IDE), SATA, or SCSI
controller
 Works in Windows XP SP2, Vista, and Win
7
Validating Data
Acquisitions
Validating Data Acquisitions 24

 Most critical aspect of computer forensics
 Requires using a hashing algorithm utility
 Validation techniques
 CRC-32, MD5, and SHA-1 to SHA-512
 MD5 has collisions, so it is not perfect, but it’s still
widely used
 SHA-1 has some collisions but it’s better than MD5
 A new hashing function will soon be chosen by
NIST
Linux Validation Methods 25

 Validating dd acquired data
 You can use md5sum or sha1sum utilities
 md5sum or sha1sum utilities should be run on all
suspect disks and volumes or segmented volumes
 Validating dcfldd acquired data
 Use the hash option to designate a hashing algorithm
of md5, sha1, sha256, sha384, or sha512
 hashlog option outputs hash results to a text file that
can be stored with the image files
 vf (verify file) option compares the image file to the
original medium
Windows Validation Methods 26

 Windows has no built-in hashing algorithm tools
for computer forensics
 Third-party utilities can be used
 Commercial computer forensics programs also
have built-in validation features
 Each program has its own validation technique
 Raw format image files don’t contain metadata
 Separate manual validation is recommended for all
raw acquisitions
Performing RAID
Data Acquisitions
Performing RAID Data 28

Acquisitions
 Size is the biggest concern
 Many RAID systems now have terabytes of
data
Understanding RAID 29

 Redundant array of independent (formerly
“inexpensive”) disks (RAID)
 Computer configuration involving two or more disks
 Originally developed as a data-redundancy measure
 RAID 0 (Striped)
 Provides rapid access and increased storage
 Lack of redundancy
 RAID 1 (Mirrored)
 Designed for data recovery
 More expensive than RAID 0
Understanding RAID (continued) 30

 RAID 2
 Similar to RAID 1
 Data is written to a disk on a bit level
 Has better data integrity checking than RAID 0
 Slower than RAID 0
 RAID 3
 Uses data striping and dedicated parity
 RAID 4
 Data is written in blocks
Understanding RAID (continued) 31
Understanding RAID (continued) 32
Acquiring RAID Disks 33

 Concerns
 How much data storage is needed?
 What type of RAID is used?
 Do you have the right acquisition tool?
 Can the tool read a forensically copied RAID image?
 Can the tool read split data saves of each RAID
disk?
 Older hardware-firmware RAID systems can be a
challenge when you’re making an image
Acquiring RAID Disks (continued) 34

 Vendors offering RAID acquisition functions
 Technologies Pathways ProDiscover
 Guidance Software EnCase
 X-Ways Forensics
 Runtime Software
 R-Tools Technologies
 Occasionally, a RAID system is too large for a
static acquisition
 Retrieve only the data relevant to the investigation
with the sparse or logical acquisition method
Using Remote
Network
Acquisition Tools
Using Remote Network 36

Acquisition Tools
 You can remotely connect to a suspect
computer via a network connection and copy
data from it
 Remote acquisition tools vary in configurations
and capabilities
 Drawbacks
 LAN’s data transfer speeds and routing table
conflicts could cause problems
 Gaining the permissions needed to access more
secure subnets
 Heavy traffic could cause delays and errors
 Remote access tool could be blocked by antivirus
Remote Acquisition with 37

ProDiscover Investigator
 Preview a suspect’s drive remotely while
it’s in use
 Perform a live acquisition
 Also called a “smear” because data is being
altered
 Encrypt the connection
 Copy the suspect computer’s RAM
 Use the optional stealth mode to hide the
connection
Remote Acquisition with 38

ProDiscover Incident Response
 Allthe functions of ProDiscover
Investigator plus
 Capture volatile system state information
 Analyze current running processes
 Locate unseen files and processes
 Remotely view and listen to IP ports
 Run hash comparisons to find Trojans and
rootkits
 Create a hash inventory of all files remotely
PDServer Remote Agent 39

 ProDiscover utility for remote access
 Needs to be loaded on the suspect computer
 PDServer installation modes
 Trusted CD
 Preinstallation
 Pushing out and running remotely
 PDServer can run in a stealth mode
 Can change process name to appear as OS
function
Remote Connection Security 40

Features
 Password Protection
 Encrypted communications
 Secure Communication Protocol
 Write Protected Trusted Binaries
 Digital Signatures
Remote Acquisition with EnCase 41

Enterprise
 Remotely acquires media and RAM data
 Integration with intrusion detection system
(IDS) tools
 Options to create an image of data from one
or more systems
 Preview of systems
 A wide range of file system formats
 RAID support for both hardware and software
Other Remote Acquisition Tools 42

 R-Tools R-Studio
 WetStone LiveWire
 F-Response
Remote Acquisition with Runtime 43

Software
 Compact Shareware Utilities
 DiskExplorer for FAT
 DiskExplorer for NTFS
 HDHOST (Remote access program)
 Features for acquisition
 Create a raw format image file
 Segment the raw format or compressed image
 Access network computers’ drives
Using Other
Forensics-
Acquisition Tools
Using Other Forensics-Acquisition 45

Tools
 Tools
 SnapBack DatArrest
 SafeBack

 DIBS USA RAID
 ILook Investigator IXimager
 Vogon International SDi32
 ASRData SMART
 Australian Department of Defence PyFlag
SnapBack DatArrest 46

 Columbia Data Products
 Old MS-DOS tool
 Can make an image on three ways
 Disk to SCSI drive
 Disk to network drive
 Disk to disk
 Fits on a forensic boot floppy
 SnapCopy adjusts disk geometry
NTI SafeBack 47

 Reliable MS-DOS tool
 Small enough to fit on a forensic boot floppy
 Performs an SHA-256 calculation per sector
copied
 Creates a log file
NTI SafeBack (continued) 48

 Functions
 Disk-to-image copy (image can be on tape)
 Disk-to-disk copy (adjusts target geometry)
 Parallel port laplink can be used
 Copies a partition to an image file
 Compresses image files
DIBS USA RAID 49

 Rapid Action Imaging Device (RAID)
 Makes forensically sound disk copies
 Portablecomputer system designed to make
disk-to-disk images
 Copieddisk can then be attached to a write-
blocker device
ILook Investigator IXimager 50

 Iximager
 Runs from a bootable floppy or CD
 Designed to work only with ILook Investigator
 Can acquire single drives and RAID drives
ASRData SMART 51

 Linux
forensics analysis tool that can
make image files of a suspect drive
 Capabilities
 Robust data reading of bad sectors on drives
 Mounting suspect drives in write-protected
mode
 Mounting target drives in read/write mode
 Optional compression schemes
Australian Department of Defence 52

PyFlag
 PyFlag tool
 Intended as a network forensics analysis tool
 Cancreate proprietary format Expert Witness
image files
 Uses sgzip and gzip in Linux
Challenges of Computer Forensics 53

 A microcomputer may have 60-GB or more storage
capacity.
 There are more than 2.2 billion messages expected
to be sent and received (in US) per day.
 There are more than 3 billion indexed Web pages
world wide.
 There are more than 550 billion documents on line.
 Exabytes of data are stored on tape or hard drives.
 (Source: Marcella, Albert, et al, Cyber Forensic, 2002.)
Challenges of Computer Forensics 54

(continued)
 How to collect the specific, probative, and case-
related information from very large groups of
files?
 Link analysis
 Visualization
 Enabling techniques for lead discovery from very
large groups of files:
 Text mining
 Data mining
 Intelligent information retrieval