research in next-generation digital forensics

Research in Next-Generation Digital Forensics

Golden G. Richard III, Ph.D.Associate Professor

Dept. of Computer Science golden@cs.uno.edu

http://www.cs.uno.edu/~golden

Digital Forensics Research Group

• Fall 2006:– Thursdays @ 1pm in NSSAL (Math 322)

• Primary Collaborators:– Vassil Roussev [UNO CS]– Vico Marziale [UNO Ph.D. student]– Frank Adelstein [ATC-NY]

Digital Forensics

Definition: “Tools and techniques to recover, preserve, and examine digital evidence on or transmitted by digital devices.”

Devices include computers, PDAs, cellular phones, videogame consoles, copy machines, printers, …

Examples of Digital Evidence• Threatening emails• Documents (e.g., in places they shouldn’t be)• Suicide notes• Bomb-making diagrams• Malicious Software

– Viruses– Worms– …

• Child pornography (contraband)• Evidence that network connections were made

between machines• Cell phone SMS messages

Facts (or: Why Digital Forensics?)

• Deleted files aren’t securely deleted– Recover deleted file + when it was deleted!

• Renaming files to avoid detection is pointless

• Formatting disks doesn’t delete much data• Web-based email can be (partially)

recovered directly from a computer• Files transferred over a network can be

reassembled and used as evidence

Facts (2)• Uninstalling applications is much more difficult than it

might appear…• “Volatile” data hangs around for a long time (even across

reboots)• Remnants from previously executed applications• Using encryption properly is difficult, because data isn’t

useful unless decrypted• Anti-forensics (privacy-enhancing) software is mostly

broken• “Big” magnets (generally) don’t work• Media mutilation (except in the extreme) doesn’t work• Basic enabler: Data is very hard to kill

Privacy Through Media Mutilation

degausser

or

orforensically-securefile deletion software(but make sure it works!)

or

Digital Forensics Process• Identification of potential digital evidence

– Where might the evidence be?– Which devices did the suspect use?

• Preservation and copying of evidence– On the crime scene…– First, stabilize evidence…prevent loss and contamination– If possible, make identical copies of evidence for

examination• Careful examination of evidence• Presentation

– “The FAT was fubared, but using a hex editor I changed the first byte of directory entry 13 from 0xEF to 0x08 to restore ‘HITLIST.DOC’…”

– “The suspect attempted to hide the Microsoft Word document ‘HITLIST.DOC’ but I was able to recover it without tampering with the file contents.”

• Legal: Balance of need to investigate vs. privacy

“Traditional” Digital Forensics

• Pull the plug• “Image” (make bit-perfect copies) of hard drives,

floppies, USB keys, etc.• Use forensics software to analyze copies of

drives• Investigator typically uses a single computer to

perform investigation in the lab• Present results to client, to officer-in-charge,

court

Traditional: Where’s the evidence?

• Undeleted files, expect some names to be incorrect• Deleted files• Windows registry• Print spool files• Hibernation files• Temp files (all those .TMP files!)• Slack space• Swap files• Browser caches• Alternate or “hidden” partitions• On a variety of removable media (floppies, ZIP,

Jazz, tapes, …)

But Evidence is Also…

• In RAM• “In” the network• On machine-critical machines

– Can’t turn off without severe disruption– Can’t turn them ALL off just to see!

• On huge storage devices– 1TB server: image entire machine and drag it

back to the lab to see if it’s interesting?– 10TB?

Next Generation: Needs• Broad:

– Better design, better software• Yes, some of it is engineering (and hacking)• Someone has to do it

– Better vision, application of ‘real’ CS to problems• More specific:

– Need for speed– Machine correlation– Machine profiling– Better auditing of investigative process– On-the-spot forensics: Triage– Live forensics– Network forensics– Specific tools for detection and remediation of malware– Phishing investigation– …

Next Generation: UNO

• Better file carving• Forensic-aware OS components• In-place file carving • Forensic accountability• On-the-spot forensics• Distributed digital forensics

File Carving: Basic Ideaone cluster

one sector

header, e.g., 0x474946e8e761(GIF)

unrelated disk blocks interesting file

footer, e.g., 0x003B(GIF)

“milestones”or “anti-milestones”

File Carving: Fragmentation

header, e.g., 0x474946e8e761(GIF)

footer, e.g., 0x003B(GIF)

“milestones”or “anti-milestones”

File Carving: Fragmentation

header, e.g., 0x474946e8e761(GIF)

footer, e.g., 0x003B(GIF)

File Carving: Damaged Files

header, e.g., 0x474946e8e761(GIF)

“milestones”or “anti-milestones”

No footer

File Carving: Doing a Better Job• Better design • Faster• Distributed implementation• More flexible description of file types• Automatic generation of type descriptions

– Patterns– Rule sets

• Multiple-pass carving– Carve, “remove” validated files from block list, re-

carve, hope that some fragmented files coalesce• Block-sniffing

File Carving: Block Sniffing

header, e.g., 0x474946e8e761(GIF)

Do these blocks “smell” right?

• N-gram analysis• entropy tests• parsing

Better Software: File Carving: Scalpel

• Two-pass design• Minimizes:

– Reads– Seeks– Writes– Data copying– Memory usage

• Doesn’t yet incorporate all of the carving wizardry we have in mind

G. G. Richard III, V. Roussev, "Scalpel: A Frugal, High Performance File Carver," Proceedings of the 2005 Digital Forensics Research Workshop (DFRWS 2005), New Orleans, LA.

Some Scalpel Results (1)

Big targets, large carve sizes, huge improvement (over 5 hours faster)

Tread + 238,270,750,000 bytes

Some Scalpel Results (2)

Big targets, large carve sizes, huge improvement (over 7 hours faster)

Tread + 117,622,357,936 bytes

OS Support for Digital Forensics

• Export raw disk devices across network for processing– Others: network block device (NBD)– Us: optimization

• “In-place” file carving– Us: Export results from file carving as a

filesystem, w/ minimal extra storage• Better auditing of investigative process

– Us: “digital evidence bag”-aware filesystems

FUSE (Filesystem in User Space)

user space

kernel space

LinuxVirtual File System

Interface(VFS)

C library

dd if=/evidence/DEC/img.dd of=copy.dd

read()

FUSE

ext3

reiserFS

C library

FUSE library

Filesystem Implementation

In-Place File Carving

preview databaseFUSE

scalpel_fs

client applications

nbd server

nbd client

networklocal drive

remote drive

G. G. Richard III, V. Roussev, V. Marziale, “In-Place File Carving,” submitted to the Third Annual IFIP WG 11.9 International Conference on Digital Forensics, 2007.

Scalpel

Better Auditing

Want: Digital Evidence Bags

See: P. Turner, “Unification of Digital Evidence from Disparate Sources (Digital Evidence Bags),” DFRWS 2005See: Common Digital Evidence Storage Format (CDESF) working group, http://www.dfrws.org/CDESF/.

Better Auditing (2)

DEC

(DEB, AFF,Gfzip …)

FDAM

dd scalpel FTK…

VFS Interface

TSK

EvidenceData

Audit Log

Import/Export

Applications(User space)

(Kernel)OperatingSystem

Block-levelData Access

FilesystemData Access

FDAM Block Device

G. G. Richard III, V. Roussev, "Toward Secure, Audited Processing of Digital Evidence: Filesystem Support for Digital Evidence Bags," Research Advances in Digital Forensics, Springer, 2006.

DigitalEvidenceContainer

Bluepipe: On the Spot Digital Forensics

Cu Bootable Bluepipe CD Removable media

Target

Bluetooth or 802.11dongle 3G/VPN

Remote investigator(s)

Handheld Bluepipe client

Y. Gao, G. G. Richard III, V. Roussev, “Bluepipe: An Architecture for On-the-Spot Digital Forensics,” International Journal of Digital Evidence (IJDE), 3(1), 2004.

Bluepipe Patterns

<BLUEPIPE NAME=”findcacti”> <!-- find illegal cacti pics using MD5 hash dictionary --> <DIR TARGET=”/pics/” /> <FINDFILE USEHASHES=TRUE LOCALDIR=”cactus” RECURSIVE=TRUE RETRIEVE=TRUE MSG="Found cactus %s with hash %h "> <FILE ID=3d1e79d11443498df78a1981652be454/> <FILE ID=6f5cd6182125fc4b9445aad18f412128/> <FILE ID=7de79a1ed753ac2980ee2f8e7afa5005/> <FILE ID=ab348734f7347a8a054aa2c774f7aae6/> <FILE ID=b57af575deef030baa709f5bf32ac1ed/> <FILE ID=7074c76fada0b4b419287ee28d705787/> <FILE ID=9de757840cc33d807307e1278f901d3a/> <FILE ID=b12fcf4144dc88cdb2927e91617842b0/> <FILE ID=e7183e5eec7d186f7b5d0ce38e7eaaad/> <FILE ID=808bac4a404911bf2facaa911651e051/> <FILE ID=fffbf594bbae2b3dd6af84e1af4be79c/> <FILE ID=b9776d04e384a10aef6d1c8258fdf054/> </FINDFILE> </BLUEPIPE>

Distributed Digital Forensics

V. Roussev, G. G. Richard III, "Breaking the Performance Wall: The Case for Distributed Digital Forensics,“ Proceedings of the 2004 Digital Forensics Research Workshop (DFRWS 2004), Baltimore, MD

750GB750GB

300GB 300GB

Distributed Digital Forensics• Scalable

– Want to support at least IMAGE SIZE / RAM_PER_NODE nodes• Platform independent

– Want to be able to incorporate any (reasonable) machine that’s available

• Lightweight– Horsepower is for forensics, not the framework—less fat

• Highly interactive• Extensible

– Allow incorporation of existing sequential tools– e.g., stegdetect, image thumbnailing, file classification, hashing,

…• Robust

– Must handle failed nodes smoothly

Distributed Digital Forensics (2)

SHUTDOWN STARTUP

CACHE

FETCH

JOIN / LEAVE

CANCEL / EXITHASH / GREP / COMMAND/ …

DONE / REPORT / ERROR

CoordinatorWorker Worker

Common Store

Local Store

LOAD

STORE

SHUTDOWN STARTUP

CACHE

FETCH

JOIN / LEAVE

CANCEL / EXITHASH / GREP / COMMAND/ …

DONE / REPORT / ERROR

CoordinatorWorker Worker

Common Store

Local Store

LOAD

STORE

Distributed Digital Forensics (3)

SCSIRAID: 504GBFile Server

CPU: 2x1.4GHz XeonRAM: 2GB

Switch96-port, 10/100/1000 Mb24 Gb Backplane

1Gb

NodeCPU: 2.4 GHz Pentium 4RAM: 1 GB

SCSIRAID: 504GBFile Server

CPU: 2x1.4GHz XeonRAM: 2GB

Switch96-port, 10/100/1000 Mb24 Gb Backplane

1Gb

NodeCPU: 2.4 GHz 4RAM: 1 GB

Beowulf [RIP], Slayer of Computer Criminals…

DDF: Results (1)

• Live string search:“Vassil Roussev”

• Regular expression search:

v[a-z]*i[a-z]*a[a-z]*g[a-z]*r[a-z]*a

Search time:String Expression

(mm:ss)

Search time:Regular Expression

(mm:ss)

FTK 08:27 41:508-node System 00:27 00:28

DDF: Results (2)• Stego detection using Stegdetect 0.5 under RH9 Linux

on the cluster• Traditional:

– 6GB image mounted using loopback device– find /mnt/loop –exec ./stegdetect ‘{}’ \;– 790 seconds == 13:10 minutes

• Using the distributed framework– Stegdetect 0.5 code incorporated into framework– Detection against cached files– “STEGO” command (after IMAGE/CACHE)– 82 seconds == 1:22 minutes

• 9.6X faster with 8 machines• CPU bound operation

DDF: To Do List

• User interface! (unless you love Putty)

DDF: To Do (2)• Case persistence• Secure support for overlapping cases• Better fault tolerance• Intelligent caching schemes to support larger

images• Collaboration with colleagues (you?) working in:

– Image analysis/classification– Speech recognition– More stego– Other CPU horsepower-intensive, forensics-

applicable stuff– We provide cycles…you provide…

Current: Live Forensics• Physical memory dumps

– Hard to do when adversarial OS is present– Via USB hacking?– Firewire proof of concept developed by Maximillian

Dornseif • Defeating process hiding techniques, e.g., FU

“rootkit”– Check OS components from many angles

• Remnants of applications (executed) past…– e.g., instant messenger fragments– e.g., recent invocations of process hiding– e.g., fingerprints of recently executed (or executing)

malware

Conclusion: Lots of Work To Do

• Benevolent hacking (engineering) meets science

• Desperately need methods for pipelining investigative process

• Live forensics critically important– volatile computing– whole disk encryption– hardware-based whole disk encryption!– nasty malware

Conclusion (2)• Arguably, almost any field in CS can collaborate

– All media handling needs work– Algorithms for dealing with huge, partially-organized

datasets– Attribution– Correlation– Profiling– Document similarity measures– Databases– High-performance computing– OS Internals

Random Bedside Reading…• http://www.dfrws.org (Digital Forensics Research Workshop)• http://www.ijde.org/ (International Journal of Digital Evidence)• F. Adelstein, “Live Forensics: Diagnosing Your System Without Killing it First,” Communications

of the ACM, February 2006.• M. A. Caloyannides, Privacy Protection and Computer Forensics, Second Edition, 2004.• B. Carrier, File System Forensic Analsis, Addison-Wesley, 2005.• B. Carrier, “Risks of Live Digital Forensics Analysis,” Communications of the ACM, February

2006. • E. Casey, Digital Evidence and Computer Crime, Academic Press, 2004.• J. Chow, B. Pfaff, T. Garfinkel, M. Rosenblum, “Shredding Your Garbage: Reducing Data

Lifetime Through Secure Deallocation,” 14th USENIX Security Symposium, 2005.• M. Geiger, “Evaluating Commercial Counter-Forensic Tools,” 5th Annual Digital Forensic

Research Workshop (DFRWS 2005), New Orleans, 2005. • G. G. Richard III, V. Roussev, "Next Generation Digital Forensics," Communications of the ACM,

February 2006. • G. G. Richard III, V. Roussev, “Digital Forensics Tools: The Next Generation,” invited chapter in

Digital Crime and Forensic Science in Cyberspace, IDEA Group Publishing, 2005.• A. Schuster, “Searching for Processes and Threads in Microsoft Windows Memory Dumps,” 6th

Annual Digital Forensic Research Workshop (DFRWS 2006), West Lafayette, IN, 2006. • S. Sparks, J. Butler, “Raising the Bar for Windows Rootkit Detection,” Phrack Issue # 63. • G. Hoglund, J. Butler, “Rootkits: Subverting the Windows Kernel,” Addison-Wesley, 2005.

Presentation available:http://www.cs.uno.edu/~golden/teach.html

golden@cs.uno.edu

Security Lab (NSSAL): Math 322

?