Академический Документы
Профессиональный Документы
Культура Документы
r.ludwiniak@napier.ac.uk
Lecture Objectives
1. 2. 3. 4. 5. History and definition of Digital Forensics Context for an investigation An overview of the main theoretical concepts Storage Devices Partitions
Recommended Reading
1. B Carrier, File System Forensic Analysis, March 27 2005, Addison-Wesley Professional 2. H Carvey, Windows Forensic Analysis DVD Toolkit, 11th June 2009, Syngress 3. C Pogue, Unix and Linux Forensic Analysis DVD Toolkit, 30th June 2008, Syngress 4. M.E. Russinovich and D.A. Solomonm, Windows Internals 5th Edition , 7th January 2009, Microsoft Press (chapter 1 to chapter 3) 5. K.J. Jones, Real Digital Forensics, 3rd October 2005, Addison-Wesley Professional
Online Resources
Digital Forensic Research Workshop (DFRWS)
http://www.dfrws.org Challenges Projects
Forensics Wiki
http://www.forensicswiki.org
DIGITAL FORENSICS
It is impossible for the criminal to act, especially considering the intensity of a crime, without leaving traces of his presence.
- Edmond Locard
Computer Forensics
1984
Scotland Yard: Computer Crime Unit FBI computer forensics departments
1990
Computer Misuse Act (CMA)
Digital Forensics
The use of scientifically derived and proven methods towards the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from the digital sources for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations. - Digital Forensics Research Workshop
Investigative Context
Primary Objectives Law Enforcement Military IW Ops Business and Industry Prosecution Continuity of Operations Continuity of Service Prosecution Prosecution Secondary Objectives Environment Post-Mortem Real-Time/PostMortem Real-Time/PostMortem
Digital Investigation
A digital investigation is a process where we develop and test hypotheses that answer questions about digital events. This is done using the scientific method where we develop a hypothesis using evidence that we find and then test the hypothesis by looking for additional evidence that shows the hypothesis is impossible.
Digital Evidence is a digital object that contains reliable information that supports or refutes a hypothesis. - B. Carrier, 2006 File System Forensic Analysis,
Live investigation
Occurs when the machine is running
Volatile Investigations
Has impact on device under investigation Not repeatable Does not fit in with classic forensic investigative models OS must be trusted New questions cannot be asked later
Investigation Process
Acquisition
Preservation Collection Verification
Analysis
Search for evidence Hypothesis Creation Confirm or refute hypothesis with evidence
Presentation
Report the findings of the investigation Objective manner
Characteristics of Evidence
1. Data can be viewed at different levels of abstraction 2. Data requires interpretation 3. Data is Fragile 4. Data is Voluminous 5. Data is difficult to associate with reality
Characteristics of Evidence
1. Data can be viewed at different levels of abstraction 2. Data requires interpretation 3. Data is Fragile 4. Data is Voluminous 5. Data is difficult to associate with reality
Characteristics of Evidence
1. Data can be viewed at different levels of abstraction 2. Data requires interpretation 3. Data is Fragile 4. Data is Voluminous 5. Data is difficult to associate with reality
Characteristics of Evidence
1. Data can be viewed at different levels of abstraction 2. Data requires interpretation 3. Data is Fragile 4. Data is Voluminous 5. Data is difficult to associate with reality
Characteristics of Evidence
1. Data can be viewed at different levels of abstraction 2. Data requires interpretation 3. Data is Fragile 4. Data is Voluminous 5. Data is difficult to associate with reality
Best Practice
ACPO
Principle 1 - No action taken by law enforcement or their agents should change data held on an electronic device or media which may subsequently be relied upon in Court. Principle 2 - In exceptional circumstances where a person finds it necessary to access original data held on an electronic device or media, that person must be competent to do so, and be able to give evidence explaining the relevance and the implications of their actions.
Best Practice
ACPO
Principle 3: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
Best Practice
ACPO
Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.
Tools
1st Generation
Command Line, Task oriented, Act on original data
2nd Generation
GUI interface, capable of making copies, multifunctional
3rd Generation
Work on distributed systems and live systems Live ?
Tool Characteristics
Verifiable - Can it be shown to behave within certain bounds of behaviour? Reproducibility - Can a tool produce results which are reproducible? Non-interference - Are the results obtained with a tool that has open source code, and thus does not contain obfuscated code? Usability - Can the tool help the investigator review and make decisions about the layer of abstraction being viewed? Comprehensive - Can the tool allow the investigator access the data output of the tool at any given level of abstraction?
Future
Research Challenges facing the investigation community
S.L. Garfinkel, Digital forensics research: The next 10 years, Digital Investigation, vol. 1, no. 7, pp. 6473, 2010 The coming Digital Forensics Crisis
Challenges
Size of storage devices Embedded flash devices Proliferation of operating systems and file formats Multi-device analysis Pervasive Encryption Cloud computing RAM-only Malware Legal Challenges decreasing the scope of forensic investigations
Required Reading
D. Byers, N. Shahmehri, Contagious errors: Understanding and avoiding issues with imaging drives containing faulty sectors, Digital Investigation, no. 5, pp. 29 33, 2008 A. Jones, C. Meyler, What Evidence is left after disk cleaners?, Digital Investigation, no. 1, pp. 183 188, 2004 B.J. Nikkel, Forensic Analysis of GPT disks and GUID partition tables, Digital Investigation, no.6, pp. 39-47, 2009
Required Reading
M. Belford, Methods of discovery and exploration of Host Protected Ares on IDE storage devices that conform the ATAPI-5, Digital Investigation, no.2, pp. 268-275, 2006 K. MacDonald, To Image a Macintosh, Digital Investigation, no. 2, pp. 175 -179, 2006 J. R. Lyle, A strategy for testing hardware write block devices, Digital Investigation, no. 3, pp. 3-9, 2006
Storage Media
Hard disks, floppy disk, thumb drives etc. Hard disks are the richest in digital evidence Integrated Disk Electronics (IDE) or Advanced Technology Attachment (ATA) Higher performance SCSI drives Fireware is an adaptation of SCSI standards that provides high speed access to a chain of devices All hard drives contain platters made of light, rig-hid material such aluminum, ceramic or glass
Hard Disks
Actuator Arm
Spindle
Platters
Head
Storage
Cylinders are the data tracks that the data is being recorded on Each track/cylinder is divided into sectors that contain 512 bytes of information
512*8 bits of information
Location of data can be determined by which cylinder they are on which head can access them and which sector contains them or CHS addressing Capacity of a hard drive # of C*H*S*512
Sector (512bytes)
Storage Characteristics
Volatility
Non-Volatile Volatile
Mutability
Read/Write Read Only Slow Write, Fast Read Storage
Accessibility
Random Access Sequential Access
Addressability
Location File Content
CHS Values
16-bit Cylinder value (C) 4-bit Head Value (H) 8-bit Sector Value (S) Old BIOS:
10-bit C 8-bit H 6-bit S Limited to 528MB disk
Storage Volume
Storage Volume
Partition 1
Partition 2
Storage Volume
Partition 1
Partition 2
Partition 1
Partition 2
Volume vs Partition
Volume
A selection of addressable sectors that can be used by an OS or application. These sectors do not have to be consecutive
Partition
A selection of addressable sectors that are consecutive. By definition, a partition is a volume
Partition Analysis
A Partition organises the layout of a volume Sector Addressing
Physical Address (LBA or CHS) Logical Disk Volume Address Logical Partition Volume Address
Sector Addressing
Partition Analysis
Analyse Partition Tables
Process them to identify the layout Can then be used to process partition accordingly Determine the type of data inside the partition
Perform a sanity check to ensure that the partition table is telling the truth This is important when imaging
Sanity Check
DOS Partitions
Most commonly found with i386/x86 systems No standard reference Master Boot Record in first sector (1st 512 byte)
Boot Code Partition Table Signature Value
Partition Table
Starting CHS Address Ending CHS Address Starting LBA Address Number of Sectors in Partition Type of Partition Flags
Limitation
2 Terabyte Disk Partition Limitation
MBR Partition size field is 32 bits
Extended Partitions
Limitation of 4 Primary Partitions Creation of 3 Primary Partitions and 1 primary extended partition Primary Extended partition uses a similar MBR layout in order to create a linked list of records, showing where each new extended partitions exists in relation to the start of the last
ANY QUESTIONS?