190 likes | 268 Views
Data Forensics. Damien Leake. Definition. To examine digital media to identify and analyze information so that it can be used as evidence in court cases Involves many data recovery techniques Process of salvaging data from damaged, failed, corrupted, or inaccessible secondary storage media
E N D
Data Forensics Damien Leake
Definition • To examine digital media to identify and analyze information so that it can be used as evidence in court cases • Involves many data recovery techniques • Process of salvaging data from damaged, failed, corrupted, or inaccessible secondary storage media • Hard drives, USB flash drives, DVDs • Recovery may be required due to physical damage or logical damage to file system • Digital evidence has to be authentic, reliably obtained, and admissible
Common Scenarios for Data Recovery • Operating system failure • Use LiveCD to copy all files to another disk • Can be avoided by proper disk partitioning • Disk-level failure • Compromised file system or disk partition • Repair file system, partition table, master boot record • Hard disk recovery – one time recovery • Recovering deleted files • Often data is not removed, only the references to them in the file table
Data Reduction During Acquisition • Ever larger hard drives make collecting data very time-consuming • Data analysis can also take much longer if there are large amounts of data • Known files • Operating system and application files can often be disregarded when looking for documents • File types • Many file types can usually be ignored
Live Acquisition • Debate: pull the plug or not when finding suspect’s computers • For: minimizes disturbance to stored data • Against: Critical data may be in RAM • With full disk encryption, files are decrypted on the fly, with the decryption key stored in RAM • Open ports, active processes • Fully volatile OS: Knoppix • Unsaved documents
Examining RAM • Evidence cannot be recorded on a target machine without changing the state • Logs, temp files, network connections opened/closed • Critical data may be overwritten • Analysis utilities may need to be loaded onto target system • Usually, ram data is sent to another machine over a network connection • These problems may be avoided if the target machine was running on a Virtual Machine
Virtual Introspection • Process by which the state of a VM is observed from the Virtual Machine Manager or another VM on the system • No current production tool, but research shows promise • Can allow live system analysis of a VM • May be possible for it to be undetected by target system • Experienced cyber criminals may have safeguards that remove critical data from RAM upon breach detection
Virtual Introspection for Xen • Xen is an open source Virtual Machine Manager • Not as robust as some competitors • Open source means that researchers can modify the VMM should that become necessary • VIX is a suite of tools currently being developed for Xen • Provides API for getting data from different VMs • Pauses target machine, acquires data, un-pauses machine • Ensures machine state is not modified
Future Work • Support for multiple OS • Currently, Linux 2.6 kernel is supported by VIX • Need Windows and Mac OS support for widespread significance • Analysis of the extent to which VI can be detected by the target VM • Timing analysis, page fault monitoring • Application of these techniques to VMware and other popular VM platforms
Database Forensics • Standard forensics tools tend to be too time consuming to run on large databases • Database tools to search logs are quicker • Can return a lot of useful information • But they may alter the database in ways that complicate the admissibility of the content in court • New field of study with little literature
Mobile Device Forensics • State of device at time of acquisition • Password locks • Remote data deletion • Variety of operating systems • Hard to build tools considered industry standard
FTK Mobile Phone Examiner • Most commonly used tool in US • Simple data acquisition • Cable. Infrared, Bluetooth • Does not alter any data on device • Integration with Forensic Toolkit • Perform analysis on multiple phones at once • Reports are automatically court-usable
Oxygen Forensic Suite • Popular tool with European law enforcement agencies • Extracts all possible information • Phone/SIM card data • Contact list, caller groups, speed dials • All calls sent/received/missed • SMS, calendar events, text notes • Can tap into LifeBlog and geotagging in Nokia Symbian OS phones
EnCase Neutrino • Extension of company’s PC forensic software • Claims to have the only extensively tested signal blocking technology • Data acquisition starts with SIM card first, then searches the phone itself • Easily returns device serial number, cell tower location, and manufacturer information
Anti-Forensics • Avoid detection of events • Disrupt collection of information • Increase time spent on case
Attacking Data • Data wiping • Overwrite erased disk space with random data • Many commercial tools do not do this properly and leave some of the original data • Data hiding • Encryption • Using anonymous web storage • Steganography • Embedding data into another digital form (images, videos) • Data corruption • Aims to stop the acquisition of evidentiary data
Attacking Forensics Tools • Aims to make examination results unreliable in court • Manipulate essential information • Hashes • Timestamps • File signatures • Compression bomb • Compress data hundreds of times • Causes analyzing computer to crash trying to decompress it
Attack the Investigator • Exhaust investigator’s time and resources • Leave large amounts of useless data on hard drives • Cases that take too long are more likely to be dropped
Summary • Data forensics attempts to capture and analyze data for use in court proceedings • Techniques involve traditional data recovery along with live acquisition of volatile data • Relatively new field, with more research needed for databases, mobile devices, and virtual machines • Analysis techniques will need to evolve as cyber criminals develop more sophisticated ways to hide their actions