380 likes | 498 Views
Selective and Intelligent Imaging. Using Digital Evidence Bags. Bit-Stream imaging. Bit-by-bit copy from source drive to a forensic image Small drives Effective Quick Large drives Resource-consuming Time-consuming. Source. Image. Bit-Stream imaging.
E N D
Selective and Intelligent Imaging Using Digital Evidence Bags
Bit-Stream imaging Bit-by-bit copy from source drive to a forensic image Small drives • Effective • Quick Large drives • Resource-consuming • Time-consuming Source Image
Bit-Stream imaging May not be best to implement all the time More useful imaging: • Specify information to include • Sort relevant data Keep the process simple, but more effective than simple bit-stream imaging
Selective Imaging Improvement on bit-stream imaging Decides what content to include in the image based on some criteria • File type (pictures, email logs, etc) • Creation date Used for multiple reasons • Large drive • Infeasible to make complete image • Legal requirements
Selective Imaging Multiple types of selective imaging Different modes of operation for each Manual • Forensic investigator arbitrarily decides what files to include in the image • File browser is used to navigate the file system • Image is created based on the selections File.doc
Selective Imaging Semi-Automatic • Forensic investigator uses categories of information or other criteria to decide what files to include • File extension • Signature • Hash • Imager includes files satisfying the criteria .DOC .JPG .DOC Criteria Image
Selective Imaging Automatic • Forensic investigator specifies source drive and destination target for the image • Imaging application collects the relevant evidence • Uses configuration files to decide what information to include • Configuration files defined before run time (usually specific to the case) Source Drive Config. Imager Image Destination
Selective Imaging Imaging options can get very complex No way of keeping track of where the data came from originally Data origin includes: • Physical sector location (data runs) • Logical cluster location (start of volume + offset) • Folder location (path from root folder) ? Data
Intelligent Imaging Another way to improve on bit-stream imaging Capture knowledge of domain experts to use in an intelligent system Nontechnical users can acquire and analyze an image • Choose the case type • Imager acquires relevant information • Based expert knowledge of the case type Intelligent Imager
Intelligent Imaging Meant to alert investigator of information categories outside initial line of inquiry Not supposed to decide what to capture in the image Difficulties: • How do you get the expert knowledge? • How do you know nothing is missing?
Imaging Problems Selective and intelligent imaging offer more options than bit-stream imaging However, no current (2006) tool implements selective or intelligent imaging while recording origin of information No method records how an examiner or imager decided what to acquire • Manual mode? • Categories of information? • Signatures?
DEBs Selective and intelligent imagers can produce Digital Evidence Bags (DEBs) Universal container for digital information • Supports any source drive • Data origin recorded, maintained • Encapsulated (DEBs inside DEBs)
DEBs A homogenous DEB is produced even if there are: • Different drive sources • Different imagers • Device-specific imagers Analysis and examination applications would be compatible with DEBs, independent of drive source
DEBs Source drives • Drives with information to capture
DEBs Selective/Intelligent Imager • Imager application • Acquires relevant information from source drives
DEBs Category Definition File & Imager Configuration File • Additional information for imager decisions
DEBs Digital Evidence Bag • Produced by Selective/Intelligent Imager from source drives • Contains captured information
DEBs Dynamic creation Imager able to create a DEB regardless of mode of operation • Manual • Semi-Automatic • Automatic Mode of operation also recorded in the DEB
DEBs DEB components: • .tag files • .index files • .bag files Evidence Unit (EU): • .index + .bag files
DEBs .tag files Plaintext file with sections .tag sections: • [DEB Header] • [Evidence Units] • [DEB Footer] • [TCB]
DEBs • [DEB Header] • Contains metadata about the DEB and Index Format
DEBs [DEB Header] Metadata: • Investigator(s) • Creation timestamp • Description of evidence • What evidence was collected • Where evidence was collected • When evidence was collected
DEBs • [DEB Header] • Index Format specifies the default content sequence of DEB .index files • Defines layout of information in an .index file • .index files are defined by meta-tags that store information captured from a device
DEBs .index file meta-tags categories: • Labels • File name/path (F), origin description (P), file attributes (Fa), command (C) • Timestamps • Last modified (Tmod), accessed (Tacc), created (Tcrea) • Numeric • Physical sector (PS), Logical cluster number (LCN), file logical size (Fls), file physical size (Fps) • Integrity • MD5 hash (Hmd5), SHA hash (Hsha) Index Format : F LCN PS Fa Tacc Tmod Tcre Fla Fps Hmd5
DEBs [Evidence Units] Records all EU's created in the DEB and their content type EU integrity hashes: • .index file hash • .bag file hash Format: EU = ## IndexHash = <Hash> BagHash = <Hash> ContentType = <Type>
DEBs [Evidence Units] The content of the first EU (Evidence Unit 0) is reserved for case notes and metadata about the case: • Imager used to create DEB • Version number • Integrity hash • Configuration file • Capture criteria • Additional information • Photos • Text
DEBs [Evidence Units] The content of the rest of the EUs are defined by the examiner Based on: • Case requirements • Configuration of imager tool
DEBs [Evidence Units] Content types: • ContentType-Sig=<File signatures> • ContentType-Ext=<File extensions> • ContentType-Cat=<Category type> • ContentType-Manual=<label> • Manually selected contents • ContentType-CLI=<label> • Contents from command line
DEBs [DEB Footer] Records the number of EUs in a DEB, includes the .tag file integrity hash
DEBs [TCB] Tag continuity blocks (not pictured) • Appended at the end of the DEB .tag file whenever accessed or analyzed • Records application function, signature, and timestamp of access
DEBs • .index files • Contains metadata about information contained in the DEB Evidence Unit • Uses meta-tags to organize metadata
DEBs .bag files Concatenation of imager-generated binary information • Referenced by each entry in the corresponding index file
The Ultimate Test Ultimate test for any imager and container that does not generate or store standard bit-stream images: • Imaging method and container must store enough information about the origin of data captured so that when the information is restored it is identical to what would have been acquired with bit-stream imaging To do this you must have application able to process DEB .index file physical data location in ascending order, generate hash over .bag contents This would generate an image with the same contents as a bit-stream image
Conclusion Many options exist for selective capturing of information The container in which the captured information is stored is also important in order to ensure: • Defined structure • Unhindered examination We can better understand the selective approach by following the techniques described
References • http://www.dfrws.org/2006/proceedings/8-Turner.pdf