1 / 38

Selective and Intelligent Imaging

Selective and Intelligent Imaging. Using Digital Evidence Bags. Bit-Stream imaging. Bit-by-bit copy from source drive to a forensic image Small drives Effective Quick Large drives Resource-consuming Time-consuming. Source. Image. Bit-Stream imaging.

mathis
Download Presentation

Selective and Intelligent Imaging

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Selective and Intelligent Imaging Using Digital Evidence Bags

  2. Bit-Stream imaging Bit-by-bit copy from source drive to a forensic image Small drives • Effective • Quick Large drives • Resource-consuming • Time-consuming Source Image

  3. Bit-Stream imaging May not be best to implement all the time More useful imaging: • Specify information to include • Sort relevant data Keep the process simple, but more effective than simple bit-stream imaging

  4. Selective Imaging Improvement on bit-stream imaging Decides what content to include in the image based on some criteria • File type (pictures, email logs, etc) • Creation date Used for multiple reasons • Large drive • Infeasible to make complete image • Legal requirements

  5. Selective Imaging Multiple types of selective imaging Different modes of operation for each Manual • Forensic investigator arbitrarily decides what files to include in the image • File browser is used to navigate the file system • Image is created based on the selections File.doc

  6. Selective Imaging Semi-Automatic • Forensic investigator uses categories of information or other criteria to decide what files to include • File extension • Signature • Hash • Imager includes files satisfying the criteria .DOC .JPG .DOC Criteria Image

  7. Selective Imaging Automatic • Forensic investigator specifies source drive and destination target for the image • Imaging application collects the relevant evidence • Uses configuration files to decide what information to include • Configuration files defined before run time (usually specific to the case) Source Drive Config. Imager Image Destination

  8. Selective Imaging Imaging options can get very complex No way of keeping track of where the data came from originally Data origin includes: • Physical sector location (data runs) • Logical cluster location (start of volume + offset) • Folder location (path from root folder) ? Data

  9. Intelligent Imaging Another way to improve on bit-stream imaging Capture knowledge of domain experts to use in an intelligent system Nontechnical users can acquire and analyze an image • Choose the case type • Imager acquires relevant information • Based expert knowledge of the case type Intelligent Imager

  10. Intelligent Imaging Meant to alert investigator of information categories outside initial line of inquiry Not supposed to decide what to capture in the image Difficulties: • How do you get the expert knowledge? • How do you know nothing is missing?

  11. Imaging Problems Selective and intelligent imaging offer more options than bit-stream imaging However, no current (2006) tool implements selective or intelligent imaging while recording origin of information No method records how an examiner or imager decided what to acquire • Manual mode? • Categories of information? • Signatures?

  12. DEBs Selective and intelligent imagers can produce Digital Evidence Bags (DEBs) Universal container for digital information • Supports any source drive • Data origin recorded, maintained • Encapsulated (DEBs inside DEBs)

  13. DEBs A homogenous DEB is produced even if there are: • Different drive sources • Different imagers • Device-specific imagers Analysis and examination applications would be compatible with DEBs, independent of drive source

  14. DEBs

  15. DEBs Source drives • Drives with information to capture

  16. DEBs Selective/Intelligent Imager • Imager application • Acquires relevant information from source drives

  17. DEBs Category Definition File & Imager Configuration File • Additional information for imager decisions

  18. DEBs Digital Evidence Bag • Produced by Selective/Intelligent Imager from source drives • Contains captured information

  19. DEBs Dynamic creation Imager able to create a DEB regardless of mode of operation • Manual • Semi-Automatic • Automatic Mode of operation also recorded in the DEB

  20. DEBs DEB components: • .tag files • .index files • .bag files Evidence Unit (EU): • .index + .bag files

  21. DEBs .tag files Plaintext file with sections .tag sections: • [DEB Header] • [Evidence Units] • [DEB Footer] • [TCB]

  22. DEBs • [DEB Header] • Contains metadata about the DEB and Index Format

  23. DEBs [DEB Header] Metadata: • Investigator(s) • Creation timestamp • Description of evidence • What evidence was collected • Where evidence was collected • When evidence was collected

  24. DEBs • [DEB Header] • Index Format specifies the default content sequence of DEB .index files • Defines layout of information in an .index file • .index files are defined by meta-tags that store information captured from a device

  25. DEBs .index file meta-tags categories: • Labels • File name/path (F), origin description (P), file attributes (Fa), command (C) • Timestamps • Last modified (Tmod), accessed (Tacc), created (Tcrea) • Numeric • Physical sector (PS), Logical cluster number (LCN), file logical size (Fls), file physical size (Fps) • Integrity • MD5 hash (Hmd5), SHA hash (Hsha) Index Format : F LCN PS Fa Tacc Tmod Tcre Fla Fps Hmd5

  26. DEBs [Evidence Units] Records all EU's created in the DEB and their content type EU integrity hashes: • .index file hash • .bag file hash Format: EU = ## IndexHash = <Hash> BagHash = <Hash> ContentType = <Type>

  27. DEBs [Evidence Units] The content of the first EU (Evidence Unit 0) is reserved for case notes and metadata about the case: • Imager used to create DEB • Version number • Integrity hash • Configuration file • Capture criteria • Additional information • Photos • Text

  28. DEBs [Evidence Units] The content of the rest of the EUs are defined by the examiner Based on: • Case requirements • Configuration of imager tool

  29. DEBs [Evidence Units] Content types: • ContentType-Sig=<File signatures> • ContentType-Ext=<File extensions> • ContentType-Cat=<Category type> • ContentType-Manual=<label> • Manually selected contents • ContentType-CLI=<label> • Contents from command line

  30. DEBs [DEB Footer] Records the number of EUs in a DEB, includes the .tag file integrity hash

  31. DEBs [TCB] Tag continuity blocks (not pictured) • Appended at the end of the DEB .tag file whenever accessed or analyzed • Records application function, signature, and timestamp of access

  32. DEBs • .index files • Contains metadata about information contained in the DEB Evidence Unit • Uses meta-tags to organize metadata

  33. DEBs .bag files Concatenation of imager-generated binary information • Referenced by each entry in the corresponding index file

  34. DEBs

  35. The Ultimate Test Ultimate test for any imager and container that does not generate or store standard bit-stream images: • Imaging method and container must store enough information about the origin of data captured so that when the information is restored it is identical to what would have been acquired with bit-stream imaging To do this you must have application able to process DEB .index file physical data location in ascending order, generate hash over .bag contents This would generate an image with the same contents as a bit-stream image

  36. Conclusion Many options exist for selective capturing of information The container in which the captured information is stored is also important in order to ensure: • Defined structure • Unhindered examination We can better understand the selective approach by following the techniques described

  37. References • http://www.dfrws.org/2006/proceedings/8-Turner.pdf

  38. THANK YOU

More Related