Transcript CS 447/557 Computer Forensics

CSCD496
Computer Forensics
Lecture 5
Applying Process to Computer
Forensics
Winter 2010
1
Introduction
• Look at digital data acquisition
• Just what is called static acquisition for
now
– Disk and other storage media
• Live acquisition is another technique
– And includes capturing RAM and any other
volatile data from a live machine
2
Static Acquisition
• Process of copying data
• Goal of Static Acquisition
– Preserve data and establish integrity
– No question of the validity of data so it can be
used as evidence in court
3
Formats for Acquisition
• Different Formats of digital files from
copying forensics software
– Proprietary format
• Most commercial tools produce their own format
• One popular standard supported by many tools
– Open Source
• Free with most Linux distributions
• Raw format from Linux dd tool
– Bit-by-bit copy of the media
• Also supported by commercial tools
• Creates a sequential flat file of suspect drive
4
Advantages or Disadvantages
• Advantages of Raw
– Fast transfer, important for large disk copies
– Can handle minor data read errors
– Universal format, most tools can read it
• Disadvantages of Raw
– Requires as much storage space as original
disk
– Fail to collect bad sectors on disk
– Commercial tools make more effort to collect
all data
5
Advantages or Disadvantages
• Advantages of Proprietary Format
– Offer features not available with Raw
• Compress image, saves space
• Can flexibly split images into smaller files to fit onto
other media
• Can integrate meta data into image, hash value of
original disk, date and time of copy
– Disadvantages of Proprietary Format
• Can't share image between vendors analysis tools
6
Advantages or Disadvantages
• Example Propriety Format
– lLook Iximager produces three proprietary
formats
• IDIF, IRBF and IEIT
– Can copy to raw format for use by other tools
– Ilook is only available to Law Enforcement
agencies
http://www.perlustro.com/
7
Standard Formats
• Encase's format, Expert Witness
– Closest to a standard
– Recognized by other commercial tools
• Can generate generic versions of Expert Witness
format
• X-Ways Forensics, Access Data Forensic Toolkit
(FTK), and SMART
– Can be compressed or uncompressed
http://www.guidancesoftware.com/computer-forensics-ediscoverysoftware-digital-evidence.htm
8
Standard Formats
• Another proposed OpenSource acquisition
format
– Advanced Forensic Format (AFF)
– AFF is a new format proposed by Dr. Simson
Garfinkel, a forensics researcher
– Expectation is that AFF will become standard
of the future for acquisition of data
– Both Sleuthkit and Autopsy support the aff
image format
http://www.afflib.org/
9
AFF Format
• An open standard enables investigators to use their
preferred tools to solve crimes and gather intelligence
• Proprietary file formats means you will convert from one
format to another to use multiple tools
• Converting between formats risks data corruption if the
formats are not well understood
• Metadata may be lost if all formats do not support the
same forms of metadata
• Read more about the AFF format
http://www.forensicswiki.org/wiki/AFF
10
Techniques of Acquisition
• Several ways to do static acquisition
– Typically done on computer or digital media
seized as evidence
– Most Common
• Disk-to-image file
– Provides greatest flexibility
– Bit-by-bit copy of original drive
– Can use a variety of tools to read and
analyze data
11
Techniques of Acquisition
• Another Method
– Disk-to-disk copy
– Copying data from one drive to another
– Circumstances when you might have to do that
• Older drive, with hardware or software errors
• Some tools can adjust disk geometry to match
original suspect drive
• Do that, so exact circumstances of disk are
preserved
• SafeBack, SnapCopy are two tools that run in and
MSDos window do a disk-to-disk copy
12
• Encase also does this type of data acquisition
Linux vs. Windows
• Do you think it matters which OS you use to
analyze the disk or data?
– Yes.
– Windows can contaminate your evidence drive!
– Must protect drive with a write blocking device
• Hardware devices can be inserted between disk and
the OS used to analyze and copy the data
• More about these in a later chapter
13
Linux vs. Windows
• Windows XP Blocking Feature
– Since Service Pack 2,
• Feature added to XP to turn off writing to USB
devices
• Must edit registry to do this, book has step-by-step
instructions, Chapter 4
• Connect suspect drive to USB external drive after
you turn off write permission to that USB device
• Will not allow you to write to device
• Make a copy of data
14
Linux Live Boot CD
• Linux can access a drive that is not
mounted, means you can't read or write to it
in usual way
• However, newer Linux distributions
automatically mount and allow access to
connected drives
– Can allow alteration of data
• Answer: Linux Live Boot CD
15
Linux Live Boot CD
• CAINE Live CD
– http://www.caine-live.net/
• Knoppix
– http://www.knoppix-std.org/download.html
• F.I.R.E.
– http://fire.dmzs.com/
• Penguin Sleuth
– http://www.linux-forensics.com/
• DeftLinux
– http://www.deftlinux.net/
16
Live CD's for Data Acquisition
• Live CD's
– Advantages,
• Have a number of tools in one distribution
• Configured by default to mount as read-only any
connected storage media
• Can then access and examine media connected
to suspect machine
– We will be exploring Live CD's in more detail
later
17
Validating Data Acquisitions
• Anything you can do to validate evidence to
prove it wasn't compromised
• Typically, accepted technique – data hash
• Linux
– Two hash functions, md5sum and sha1sum
– Take hash of original drive – save it
– Take hash of copied image file – save it
– Compare it – Does it match?
18
Validating Data Acquisitions
• Windows
– Sigh ... No built-in hash utilities
– Third party hex editors
• Xways WinHex http://www.x-ways.net/winhex/index-m.html
• Breakpoint Software Hex Workshop
http://www.bpsoft.com/
• Produce hashes of files
– Commercial Tools
• Uses built-in hash capabilities
• ProDiscover .eve file – stores metadata with file
– Date, time and hash value of original media
– Each time you load image ProDiscover checks hash value
19
– Insures it matches saved hash of original media
Protocol of Images
• Strongly Recommended
– Make 2 copies of your media
– Why?
– Stuff happens to images
– Don't want to be caught without another image
– Destroy your case – lose evidence, no more
case
20
Linux dd Command
• dd
– Oldest imaging tool still used
– Although it is functional and requires only
minimal resources to run, it lacks some useful
features found in more modern imagers
•
•
•
•
Metadata gathering,
Error correction,
Piecewise hashing,
User-friendly interface
– Ported to Linux, Mac and Windows
21
Newer Version of dd
• dcfldd is an enhanced version of dd developed by the U.S.
Department of Defense Computer Forensics Lab
Useful features for forensic investigators such as:
•
•
•
•
•
On-the-fly hashing of the transmitted data.
Progress bar of how much data has already been sent.
Verification image is identical to original drive, bit-for-bit
Output can be split into multiple files.
Logs and data can be piped into external applications
22
Example Using dd
• Example: Preserve Image of Floppy
md5sum /dev/fd0 > /tmp/original-md5 Why?
Use the dd command
dd if=/dev/fd0 of=/tmp/disk.img bs=1k
What should I do next?
md5sum /tmp/disk.img > /tmp/img-md5
cat /tmp/*md5
Am I finished here?
23
Summary
• Data Acquisition critical part of the forensics
process
• Mess this up, and your evidence is useless
• Need to be very careful to not impact the
data you are trying hard to preserve
• Live CD's, write-blockers – hardware and
software, help preserve integrity
24
Finish
– Friday – Guest Speaker – Brian Kamp
• Think about good questions you can ask!!!
25